Validate console input before passing it to the server

metabrixkt · metabrixkt · commit 375a11435fca · 2025-08-31T15:45:05.000+05:00
diff --git a/paper-server/src/main/java/com/destroystokyo/paper/console/PaperConsole.java b/paper-server/src/main/java/com/destroystokyo/paper/console/PaperConsole.java
@@ -3,8 +3,12 @@
 import io.papermc.paper.configuration.GlobalConfiguration;
 import io.papermc.paper.console.BrigadierCompletionMatcher;
 import io.papermc.paper.console.BrigadierConsoleParser;
+import net.kyori.adventure.text.Component;
+import net.kyori.adventure.text.format.NamedTextColor;
 import net.minecraft.server.dedicated.DedicatedServer;
+import net.minecraft.util.StringUtil;
 import net.minecrell.terminalconsole.SimpleTerminalConsole;
+import org.bukkit.Bukkit;
 import org.bukkit.craftbukkit.command.ConsoleCommandCompleter;
 import org.jline.reader.LineReader;
 import org.jline.reader.LineReaderBuilder;
@@ -45,12 +49,23 @@ protected void runCommand(String command) {
         // terminals interpret pressing [enter] and pasting a multi-line string differently,
         // the latter makes the line reader read it as a single line - and we don't want that
         // https://github.com/PaperMC/Paper/issues/13006
-        for (String line : command.split("\n")) {
-            if (line.isEmpty()) {
-                continue;
-            }
-            this.server.handleConsoleInput(line, this.server.createCommandSourceStack());
-        }
+        command.lines()
+            .filter(line -> !line.isEmpty())
+            .forEach(line -> {
+                for (char character : line.toCharArray()) {
+                    if (!StringUtil.isAllowedChatCharacter(character)) {
+                        Bukkit.getConsoleSender().sendMessage(
+                            Component.text()
+                                .append(Component.text("Illegal console input character: 0x"))
+                                .append(Component.text(Integer.toHexString(character)))
+                                .color(NamedTextColor.RED)
+                        );
+                        return;
+                    }
+                }
+
+                this.server.handleConsoleInput(line, this.server.createCommandSourceStack());
+            });
     }
 
     @Override
