Tab Complete Crash Check

Blocks malicious tab-completion packets that crash servers.

What It Does

This check validates tab-completion packets sent when players press TAB to autocomplete commands. Malformed tab-completion packets are one of the most common and effective server crash exploits.

The Exploit

When you press TAB in chat, your client sends a packet asking the server for command suggestions. The server processes this packet and responds with available completions. Attackers exploit this by:

  • Sending extremely long command strings (thousands of characters)
  • Including special characters that break the parser
  • Nesting commands with complex argument structures
  • Sending malformed UTF-8 sequences
  • Flooding tab-complete requests

Why It's Dangerous

Tab-complete crash exploits are particularly severe because:

  • Instant crash - Server crashes immediately, no warning
  • Easy to execute - Exploit clients have one-click tab-crash features
  • Widespread - Works on unpatched Paper, Spigot, and vanilla servers
  • Hard to trace - Crash happens before logging can complete

How It Works

GAPE intercepts tab-complete packets before they reach Minecraft's command handler and validates:

  • String length - Rejects commands over 256 characters
  • Character validity - Blocks special characters and control codes
  • UTF-8 validity - Ensures proper encoding
  • Rate limiting - Prevents tab-complete spam
  • Nesting depth - Limits command argument nesting

What It Protects Against

Length-Based Crashes

Sending tab-complete packets with 10,000+ character strings causes memory exhaustion and stack overflow errors.

Unicode Exploits

Special Unicode characters or invalid UTF-8 sequences that break the string parser.

Command Injection

Attempting to inject multiple commands or arguments to confuse the parser.

Resource Exhaustion

Rapidly sending hundreds of tab-complete requests to consume CPU processing command suggestions.

Configuration Options

Maximum Command Length

Set the maximum allowed length for tab-complete commands:

  • 256 characters: Default, vanilla Minecraft limit
  • 512 characters: If you have plugins with very long commands
  • 128 characters: Extra strict for maximum protection

Rate Limit

Maximum tab-complete requests per second:

  • 5 per second: Default, allows normal usage
  • 10 per second: Lenient, for fast typers
  • 3 per second: Strict protection

Violation Action

  • Cancel packet: Always enable (default)
  • Kick on violation: Recommended for automatic protection
  • Alert staff: Enable to catch attempted exploits

False Positives

This check rarely causes false positives. Potential edge cases:

  • Very long plugin commands: Increase max length to 512
  • Fast command typing: Increase rate limit to 10/s
  • Certain keyboard layouts: May send unusual characters

Why This Check Is Critical

Tab-complete exploits are one of the top 3 server crash methods. Without this protection:

  • Anyone with an exploit client can crash your server instantly
  • Crashes happen with no warning or error message
  • Server requires manual restart each time
  • Extremely disruptive to gameplay

Performance Impact

Tab-complete validation is very lightweight:

  • Per-packet: ~100ns
  • Only triggered: When players press TAB
  • Memory: Negligible

Best Practices

  • Always keep enabled: This is a critical security check
  • Set violation threshold to 1: No tolerance for tab-crash attempts
  • Enable auto-kick: Immediately remove exploiters
  • Alert staff: Know when someone attempts this exploit
  • Log violations: Track who is trying to crash the server
Warning: Disabling this check leaves your server vulnerable to one of the most common and effective crash exploits. Keep it enabled at all times.