Merge pull request cabaletta#4720 from ZacSharp/pr/1.19.4/commands/preventRemoteCommandExecution

Don't let servers trick users into running arbitrary Baritone commands

Author: leijurv

src/launch/java/baritone/launch/mixins/MixinScreen.java

@@ -21,17 +21,19 @@
 import baritone.api.IBaritone;
 import baritone.api.event.events.ChatEvent;
 import baritone.utils.accessor.IGuiScreen;
+import net.minecraft.client.gui.screens.Screen;
 import net.minecraft.network.chat.ClickEvent;
 import net.minecraft.network.chat.Style;
 import org.spongepowered.asm.mixin.Mixin;
 import org.spongepowered.asm.mixin.gen.Invoker;
-
-import java.net.URI;
-import net.minecraft.client.gui.screens.Screen;
 import org.spongepowered.asm.mixin.injection.At;
 import org.spongepowered.asm.mixin.injection.Inject;
 import org.spongepowered.asm.mixin.injection.callback.CallbackInfoReturnable;
 
+import java.net.URI;
+
+import static baritone.api.command.IBaritoneChatControl.FORCE_COMMAND_PREFIX;
+
 @Mixin(Screen.class)
 public abstract class MixinScreen implements IGuiScreen {
 
@@ -47,9 +49,13 @@ public void handleCustomClickEvent(Style style, CallbackInfoReturnable<Boolean>
         if (clickEvent == null) {
             return;
         }
+        String command = clickEvent.getValue();
+        if (command == null || !command.startsWith(FORCE_COMMAND_PREFIX)) {
+            return;
+        }
         IBaritone baritone = BaritoneAPI.getProvider().getPrimaryBaritone();
         if (baritone != null) {
-            baritone.getGameEventHandler().onSendChatMessage(new ChatEvent(clickEvent.getValue()));
+            baritone.getGameEventHandler().onSendChatMessage(new ChatEvent(command));
         }
         cir.setReturnValue(true);
         cir.cancel();