Sign Exploit Check

Detects and blocks malicious NBT data in sign update packets.

What It Does

This check validates sign text and NBT data when players create or edit signs. Signs are a common exploit vector because they're easy to create and can contain complex formatted text with embedded commands.

The Exploit

When you place a sign and type text, your client sends a packet containing the sign's text and formatting. Attackers exploit this by:

  • Sending extremely long text on sign lines
  • Including deeply nested JSON formatting codes
  • Embedding clickEvent or hoverEvent commands in sign NBT
  • Using special Unicode characters to break parsing
  • Sending malformed NBT structures

Why It's Dangerous

  • Server crashes - Malformed sign NBT can crash the server
  • Lag exploitation - Complex formatting causes lag when signs are loaded
  • Command injection - Hidden clickEvents can execute commands
  • Chat exploits - Special formatting can break chat rendering

How It Works

GAPE validates every sign update packet:

  • Line length - Each line limited to 96 characters (4 lines = 384 total)
  • Total NBT size - Sign packet NBT limited to 2KB
  • JSON validation - Formatted text must be valid JSON
  • Nesting depth - JSON can't be nested more than 5 levels deep
  • Event validation - clickEvent and hoverEvent content checked
  • Character validation - Blocks control characters and exploits

What It Protects Against

Sign Crash Exploits

Signs with 10,000+ character lines or deeply nested formatting that crash the server when processed.

NBT Injection

Malicious NBT data embedded in sign packets to exploit NBT parser vulnerabilities.

Command Execution

Signs with clickEvent set to run_command containing dangerous commands.

Unicode Exploits

Special Unicode sequences that break rendering or exploit text processing bugs.

Validation Details

Text Content

  • Maximum 96 characters per line
  • Maximum 384 characters total
  • No control characters (0x00-0x1F except newline)
  • Valid UTF-8 encoding only

JSON Formatting

  • Must be well-formed JSON if formatted text is used
  • Maximum 5 levels of nesting
  • No circular references
  • Standard Minecraft text format only

NBT Structure

  • Maximum 2KB total sign NBT size
  • Standard Minecraft sign NBT schema
  • No unexpected or unknown NBT tags
  • Proper NBT types for all fields

Events

  • clickEvent actions limited to: open_url, suggest_command, change_page
  • run_command blocked by default (configurable)
  • hoverEvent limited to show_text and show_item
  • Event values validated for proper format

Configuration Options

Maximum Line Length

  • 96 characters: Vanilla limit (recommended)
  • 128 characters: Allow slightly longer signs
  • 64 characters: Extra strict

Maximum NBT Size

  • 2KB: Default, allows vanilla signs + basic formatting
  • 4KB: For signs with complex formatting
  • 1KB: Strict protection

Allow Click Events

  • Safe only: Allow open_url, suggest_command (recommended)
  • All: Allow run_command (risky)
  • None: Block all clickEvents

Violation Threshold

  • 1-2: Strict, one mistake and you're flagged
  • 3: Balanced (default)
  • 5+: Lenient

False Positives

Rare with proper configuration. Potential causes:

  • Plugin signs: Some plugins create signs with complex NBT
  • Copied signs: Copying vanilla signs with formatting
  • Unicode text: Legitimate Unicode in sign text

Solution: Whitelist trusted players or increase NBT size limit slightly.

Common Attack Patterns

Line Overflow Crash

Sending a sign with a single line containing 50,000 characters causes the server to crash while processing the text.

JSON Bomb

Deeply nested JSON formatting (20+ levels) that causes stack overflow when parsed.

Command Injection

Sign with clickEvent set to run_command:/op attacker or other dangerous commands.

Performance Impact

  • Per sign update: ~200ns validation time
  • Only triggered: When players create/edit signs
  • Memory: Negligible

Best Practices

  • Keep enabled on all servers
  • Use vanilla line length limits unless you have specific needs
  • Block run_command clickEvents unless required by plugins
  • Set violation threshold to 3 for balance
  • Enable alerts to catch repeated exploit attempts
  • Monitor logs for patterns of malicious signs
Note: This check works together with NBT Validation. Sign validation is specific to sign packets, while NBT Validation covers all NBT data.