feat: Vulnerable expansions checker

2023-10-28 11:21:43 +02:00 · 2023-10-28 11:21:43 +02:00 · a8bbfc2566
parent 1f57f97c21
commit a8bbfc2566
4 changed files with 81 additions and 2 deletions
--- a/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java
+++ b/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java
@ -57,6 +57,13 @@ public final class PlaceholderAPIConfig {
    return plugin.getConfig().getBoolean("debug", false);
  }

+  public boolean checkVulnerableExpansions() {
+    return plugin.getConfig().getBoolean("check_vulnerable_expansions");
+  }
+
+  public boolean preventVulnerableExpansions() {
+    return plugin.getConfig().getBoolean("prevent_vulnerable_expansions");
+  }

  public Optional<ExpansionSort> getExpansionSort() {
    final String option = plugin.getConfig()
@ -90,4 +97,5 @@ public final class PlaceholderAPIConfig {
    return plugin.getConfig().getString("boolean.false", "false");
  }

+
 }
--- a/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java
+++ b/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java
@ -38,6 +38,8 @@ import java.util.concurrent.CompletionException;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.stream.Collectors;
+
+import me.clip.placeholderapi.PlaceholderAPI;
 import me.clip.placeholderapi.PlaceholderAPIPlugin;
 import me.clip.placeholderapi.events.ExpansionRegisterEvent;
 import me.clip.placeholderapi.events.ExpansionUnregisterEvent;
@ -52,6 +54,7 @@ import me.clip.placeholderapi.expansion.cloud.CloudExpansion;
 import me.clip.placeholderapi.util.FileUtil;
 import me.clip.placeholderapi.util.Futures;
 import me.clip.placeholderapi.util.Msg;
+import me.clip.placeholderapi.util.ValidateUtil;
 import org.bukkit.Bukkit;
 import org.bukkit.command.CommandSender;
 import org.bukkit.configuration.file.FileConfiguration;
@ -175,11 +178,20 @@ public final class LocalExpansionManager implements Listener {
      if(expansion == null){
        return Optional.empty();
      }
-      
+
      Objects.requireNonNull(expansion.getAuthor(), "The expansion author is null!");
      Objects.requireNonNull(expansion.getIdentifier(), "The expansion identifier is null!");
      Objects.requireNonNull(expansion.getVersion(), "The expansion version is null!");
-      
+
+      if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().checkVulnerableExpansions() && ValidateUtil.checkExpansion(expansion)) {
+        Msg.warn("Warning expansion %s contains a security vulnerability!", expansion.getIdentifier());
+        Msg.warn("Please update or remove it to prevent security issues.");
+        Msg.warn("If you think this is an error, disable this warning at config.yml.");
+        if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().preventVulnerableExpansions()) {
+          return Optional.empty();
+        }
+      }
+
      if (expansion.getRequiredPlugin() != null && !expansion.getRequiredPlugin().isEmpty()) {
        if (!Bukkit.getPluginManager().isPluginEnabled(expansion.getRequiredPlugin())) {
          Msg.warn("Cannot load expansion %s due to a missing plugin: %s", expansion.getIdentifier(),
--- a/src/main/java/me/clip/placeholderapi/util/ValidateUtil.java
+++ b/src/main/java/me/clip/placeholderapi/util/ValidateUtil.java
@ -0,0 +1,57 @@
+/*
+ * This file is part of PlaceholderAPI
+ *
+ * PlaceholderAPI
+ * Copyright (c) 2015 - 2021 PlaceholderAPI Team
+ *
+ * PlaceholderAPI free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * PlaceholderAPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package me.clip.placeholderapi.util;
+
+import me.clip.placeholderapi.expansion.PlaceholderExpansion;
+
+import java.util.Arrays;
+import java.util.List;
+
+public class ValidateUtil {
+
+    private static final List<String> vulnerableExpansions = Arrays.asList(
+            "JavaScript",
+            "StaffFacilities",
+            "Groopi",
+            "Minepacks",
+            "fetch",
+            "Spigotlobby"
+    );
+
+    private static final List<String> expansionVersions = Arrays.asList(
+            "2.1.2",
+            "1.4.4",
+            "ALL",
+            "1.0.7",
+            "ALL",
+            "ALL"
+    );
+
+    public static boolean checkExpansion(final PlaceholderExpansion expansion) {
+        final String expansionName = expansion.getIdentifier();
+        if(!vulnerableExpansions.contains(expansionName)) {
+            return false;
+        }
+
+        final String expansionVersion = expansionVersions.get(vulnerableExpansions.indexOf(expansionName));
+        return expansionVersion.equals("ALL") || !expansionVersion.equals(expansion.getVersion());
+    }
+}
--- a/src/main/resources/config.yml
+++ b/src/main/resources/config.yml
@ -12,6 +12,8 @@ check_updates: true
 cloud_enabled: true
 cloud_sorting: "name"
 cloud_allow_unverified_expansions: false
+check_vulnerable_expansions: true
+prevent_vulnerable_expansions: true
 boolean:
  'true': 'yes'
  'false': 'no'