From a8bbfc256668620bb6fbaf3ed61b0d1c802fdb17 Mon Sep 17 00:00:00 2001 From: TypicalModMaker Date: Sat, 28 Oct 2023 11:21:43 +0200 Subject: [PATCH] feat: Vulnerable expansions checker --- .../configuration/PlaceholderAPIConfig.java | 8 +++ .../manager/LocalExpansionManager.java | 16 +++++- .../placeholderapi/util/ValidateUtil.java | 57 +++++++++++++++++++ src/main/resources/config.yml | 2 + 4 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 src/main/java/me/clip/placeholderapi/util/ValidateUtil.java diff --git a/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java b/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java index e10733e..ce34af1 100644 --- a/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java +++ b/src/main/java/me/clip/placeholderapi/configuration/PlaceholderAPIConfig.java @@ -57,6 +57,13 @@ public final class PlaceholderAPIConfig { return plugin.getConfig().getBoolean("debug", false); } + public boolean checkVulnerableExpansions() { + return plugin.getConfig().getBoolean("check_vulnerable_expansions"); + } + + public boolean preventVulnerableExpansions() { + return plugin.getConfig().getBoolean("prevent_vulnerable_expansions"); + } public Optional getExpansionSort() { final String option = plugin.getConfig() @@ -90,4 +97,5 @@ public final class PlaceholderAPIConfig { return plugin.getConfig().getString("boolean.false", "false"); } + } diff --git a/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java b/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java index 8e6cbd0..8ff0e61 100644 --- a/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java +++ b/src/main/java/me/clip/placeholderapi/expansion/manager/LocalExpansionManager.java @@ -38,6 +38,8 @@ import java.util.concurrent.CompletionException; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.locks.ReentrantLock; import java.util.stream.Collectors; + +import me.clip.placeholderapi.PlaceholderAPI; import me.clip.placeholderapi.PlaceholderAPIPlugin; import me.clip.placeholderapi.events.ExpansionRegisterEvent; import me.clip.placeholderapi.events.ExpansionUnregisterEvent; @@ -52,6 +54,7 @@ import me.clip.placeholderapi.expansion.cloud.CloudExpansion; import me.clip.placeholderapi.util.FileUtil; import me.clip.placeholderapi.util.Futures; import me.clip.placeholderapi.util.Msg; +import me.clip.placeholderapi.util.ValidateUtil; import org.bukkit.Bukkit; import org.bukkit.command.CommandSender; import org.bukkit.configuration.file.FileConfiguration; @@ -175,11 +178,20 @@ public final class LocalExpansionManager implements Listener { if(expansion == null){ return Optional.empty(); } - + Objects.requireNonNull(expansion.getAuthor(), "The expansion author is null!"); Objects.requireNonNull(expansion.getIdentifier(), "The expansion identifier is null!"); Objects.requireNonNull(expansion.getVersion(), "The expansion version is null!"); - + + if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().checkVulnerableExpansions() && ValidateUtil.checkExpansion(expansion)) { + Msg.warn("Warning expansion %s contains a security vulnerability!", expansion.getIdentifier()); + Msg.warn("Please update or remove it to prevent security issues."); + Msg.warn("If you think this is an error, disable this warning at config.yml."); + if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().preventVulnerableExpansions()) { + return Optional.empty(); + } + } + if (expansion.getRequiredPlugin() != null && !expansion.getRequiredPlugin().isEmpty()) { if (!Bukkit.getPluginManager().isPluginEnabled(expansion.getRequiredPlugin())) { Msg.warn("Cannot load expansion %s due to a missing plugin: %s", expansion.getIdentifier(), diff --git a/src/main/java/me/clip/placeholderapi/util/ValidateUtil.java b/src/main/java/me/clip/placeholderapi/util/ValidateUtil.java new file mode 100644 index 0000000..5e6bb33 --- /dev/null +++ b/src/main/java/me/clip/placeholderapi/util/ValidateUtil.java @@ -0,0 +1,57 @@ +/* + * This file is part of PlaceholderAPI + * + * PlaceholderAPI + * Copyright (c) 2015 - 2021 PlaceholderAPI Team + * + * PlaceholderAPI free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * PlaceholderAPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package me.clip.placeholderapi.util; + +import me.clip.placeholderapi.expansion.PlaceholderExpansion; + +import java.util.Arrays; +import java.util.List; + +public class ValidateUtil { + + private static final List vulnerableExpansions = Arrays.asList( + "JavaScript", + "StaffFacilities", + "Groopi", + "Minepacks", + "fetch", + "Spigotlobby" + ); + + private static final List expansionVersions = Arrays.asList( + "2.1.2", + "1.4.4", + "ALL", + "1.0.7", + "ALL", + "ALL" + ); + + public static boolean checkExpansion(final PlaceholderExpansion expansion) { + final String expansionName = expansion.getIdentifier(); + if(!vulnerableExpansions.contains(expansionName)) { + return false; + } + + final String expansionVersion = expansionVersions.get(vulnerableExpansions.indexOf(expansionName)); + return expansionVersion.equals("ALL") || !expansionVersion.equals(expansion.getVersion()); + } +} diff --git a/src/main/resources/config.yml b/src/main/resources/config.yml index 6fa0861..eb69731 100644 --- a/src/main/resources/config.yml +++ b/src/main/resources/config.yml @@ -12,6 +12,8 @@ check_updates: true cloud_enabled: true cloud_sorting: "name" cloud_allow_unverified_expansions: false +check_vulnerable_expansions: true +prevent_vulnerable_expansions: true boolean: 'true': 'yes' 'false': 'no'