Fixed Security Vulnerability: #477

2024-11-09 04:11:50 +01:00 · 2017-12-16 13:57:28 +02:00 · 2017-12-16 13:57:28 +02:00 · f7ec19b8b3
commit f7ec19b8b3
parent 80018df960
8 changed files with 76 additions and 14 deletions
--- a/Plan/src/main/java/com/djrapitops/plan/Plan.java
+++ b/Plan/src/main/java/com/djrapitops/plan/Plan.java
@ -167,7 +167,6 @@ public class Plan extends BukkitPlugin implements IPlan {

            serverInfoManager = new BukkitServerInfoManager(this);
            infoManager = new BukkitInformationManager(this);
-
            WebServerSystem.getInstance().init();
            if (!WebServerSystem.isWebServerEnabled()) {
                if (Settings.WEBSERVER_DISABLED.isTrue()) {
@ -178,6 +177,7 @@ public class Plan extends BukkitPlugin implements IPlan {
                }
            }
            serverInfoManager.updateServerInfo();
+            infoManager.updateConnection();

            Benchmark.stop("Enable", "WebServer Initialization");

--- a/Plan/src/main/java/com/djrapitops/plan/PlanBungee.java
+++ b/Plan/src/main/java/com/djrapitops/plan/PlanBungee.java
@ -8,6 +8,8 @@ import com.djrapitops.plugin.BungeePlugin;
 import com.djrapitops.plugin.StaticHolder;
 import com.djrapitops.plugin.api.Benchmark;
 import com.djrapitops.plugin.api.config.Config;
+import com.djrapitops.plugin.api.systems.TaskCenter;
+import com.djrapitops.plugin.api.utility.log.DebugLog;
 import com.djrapitops.plugin.api.utility.log.Log;
 import com.djrapitops.plugin.settings.ColorScheme;
 import com.djrapitops.plugin.task.RunnableFactory;
@ -53,6 +55,8 @@ public class PlanBungee extends BungeePlugin implements IPlan {

    private ProcessingQueue processingQueue;

+    private boolean setupAllowed = false;
+
    @Override
    public void onEnable() {
        super.onEnable();
@ -72,8 +76,6 @@ public class PlanBungee extends BungeePlugin implements IPlan {
            Theme.getInstance().init();
            DBSystem.getInstance().init();

-            registerCommand("planbungee", new PlanBungeeCommand(this));
-
            String ip = variableHolder.getIp();
            if ("0.0.0.0".equals(ip)) {
                Log.error("IP setting still 0.0.0.0 - Configure AlternativeIP/IP that connects to the Proxy server.");
@ -103,8 +105,8 @@ public class PlanBungee extends BungeePlugin implements IPlan {
        } catch (Exception e) {
            Log.error("Plugin Failed to Initialize Correctly.");
            Log.toLog(this.getClass().getName(), e);
-            onDisable();
        }
+        registerCommand("planbungee", new PlanBungeeCommand(this));
    }

    public static PlanBungee getInstance() {
@ -122,7 +124,9 @@ public class PlanBungee extends BungeePlugin implements IPlan {
        }
        systems.close();
        Log.info(Locale.get(Msg.DISABLED).toString());
-        super.onDisable();
+        Benchmark.pluginDisabled(PlanBungee.class);
+        DebugLog.pluginDisabled(PlanBungee.class);
+        TaskCenter.cancelAllKnownTasks(PlanBungee.class);
    }

    @Override
@ -200,4 +204,12 @@ public class PlanBungee extends BungeePlugin implements IPlan {
    public Systems getSystems() {
        return systems;
    }
+
+    public boolean isSetupAllowed() {
+        return setupAllowed;
+    }
+
+    public void setSetupAllowed(boolean setupAllowed) {
+        this.setupAllowed = setupAllowed;
+    }
 }
--- a/Plan/src/main/java/com/djrapitops/plan/command/PlanBungeeCommand.java
+++ b/Plan/src/main/java/com/djrapitops/plan/command/PlanBungeeCommand.java
@ -27,7 +27,7 @@ public class PlanBungeeCommand extends TreeCommand<PlanBungee> {
     * @param plugin Current instance of Plan
     */
    public PlanBungeeCommand(PlanBungee plugin) {
-        super(plugin, "planbungee", CommandType.CONSOLE, "", "", "planbungee");
+        super(plugin, "planbungee", CommandType.CONSOLE, Permissions.MANAGE.getPermission(), "", "planbungee");
        super.setDefaultCommand("help");
        super.setColorScheme(plugin.getColorScheme());
    }
@ -42,7 +42,8 @@ public class PlanBungeeCommand extends TreeCommand<PlanBungee> {
        add(
                new ReloadCommand(plugin),
                new StatusCommand<>(plugin, Permissions.MANAGE.getPermission(), plugin.getColorScheme()),
-                new ListCommand()
+                new ListCommand(),
+                new BungeeSetupToggleCommand(plugin)
        );
        RegisterCommand registerCommand = new RegisterCommand(plugin);
        add(
--- a/Plan/src/main/java/com/djrapitops/plan/command/commands/BungeeSetupToggleCommand.java
+++ b/Plan/src/main/java/com/djrapitops/plan/command/commands/BungeeSetupToggleCommand.java
@ -0,0 +1,39 @@
+/*
+ * Licence is provided in the jar as license.yml also here:
+ * https://github.com/Rsl1122/Plan-PlayerAnalytics/blob/master/Plan/src/main/resources/license.yml
+ */
+package main.java.com.djrapitops.plan.command.commands;
+
+import com.djrapitops.plugin.command.CommandType;
+import com.djrapitops.plugin.command.ISender;
+import com.djrapitops.plugin.command.SubCommand;
+import main.java.com.djrapitops.plan.PlanBungee;
+import main.java.com.djrapitops.plan.settings.Permissions;
+
+/**
+ * //TODO Class Javadoc Comment
+ *
+ * @author Rsl1122
+ */
+public class BungeeSetupToggleCommand extends SubCommand {
+
+    private final PlanBungee plugin;
+
+    public BungeeSetupToggleCommand(PlanBungee plugin) {
+        super("setup", CommandType.ALL, Permissions.MANAGE.getPermission(), "Toggle Setup mode for Bungee");
+        this.plugin = plugin;
+    }
+
+    @Override
+    public boolean onCommand(ISender sender, String s, String[] strings) {
+        boolean setupAllowed = plugin.isSetupAllowed();
+        if (setupAllowed) {
+            plugin.setSetupAllowed(false);
+        } else {
+            plugin.setSetupAllowed(true);
+        }
+        String msg = !setupAllowed ? "§aSet-up is now Allowed" : "§cSet-up is now Forbidden";
+        sender.sendMessage(msg);
+        return true;
+    }
+}
--- a/Plan/src/main/java/com/djrapitops/plan/command/commands/manage/ManageSetupCommand.java
+++ b/Plan/src/main/java/com/djrapitops/plan/command/commands/manage/ManageSetupCommand.java
@ -7,6 +7,7 @@ import com.djrapitops.plugin.command.ISender;
 import com.djrapitops.plugin.command.SubCommand;
 import main.java.com.djrapitops.plan.Plan;
 import main.java.com.djrapitops.plan.api.exceptions.WebAPIException;
+import main.java.com.djrapitops.plan.api.exceptions.WebAPIForbiddenException;
 import main.java.com.djrapitops.plan.settings.Permissions;
 import main.java.com.djrapitops.plan.settings.Settings;
 import main.java.com.djrapitops.plan.settings.locale.Locale;
@ -70,6 +71,8 @@ public class ManageSetupCommand extends SubCommand {
 //            plugin.getWebServer().getWebAPI().getAPI(PingWebAPI.class).sendRequest(address);
            plugin.getWebServer().getWebAPI().getAPI(RequestSetupWebAPI.class).sendRequest(address);
            sender.sendMessage("§eConnection successful, Plan may restart in a few seconds, if it doesn't something has gone wrong.");
+        } catch (WebAPIForbiddenException e) {
+            sender.sendMessage("§eConnection succeeded, but Bungee has set-up mode disabled - use '/planbungee setup' to enable it.");
        } catch (WebAPIException e) {
            Log.toLog(this.getClass().getName(), e);
            sender.sendMessage("§cConnection to Bungee WebServer failed: More info on console");
--- a/Plan/src/main/java/com/djrapitops/plan/systems/info/BukkitInformationManager.java
+++ b/Plan/src/main/java/com/djrapitops/plan/systems/info/BukkitInformationManager.java
@ -20,6 +20,7 @@ import main.java.com.djrapitops.plan.systems.info.parsing.AnalysisPageParser;
 import main.java.com.djrapitops.plan.systems.info.parsing.InspectPageParser;
 import main.java.com.djrapitops.plan.systems.processing.Processor;
 import main.java.com.djrapitops.plan.systems.webserver.WebServer;
+import main.java.com.djrapitops.plan.systems.webserver.WebServerSystem;
 import main.java.com.djrapitops.plan.systems.webserver.pagecache.PageCache;
 import main.java.com.djrapitops.plan.systems.webserver.pagecache.PageId;
 import main.java.com.djrapitops.plan.systems.webserver.response.*;
@ -63,8 +64,7 @@ public class BukkitInformationManager extends InformationManager {
        dataCache = new DataCache(plugin);
        analysis = new Analysis(plugin);
        pluginsTabContents = new HashMap<>();
-
-        updateConnection();
+        usingAnotherWebServer = false;
    }

    public void updateConnection() {
@ -323,8 +323,7 @@ public class BukkitInformationManager extends InformationManager {

    @Override
    public boolean attemptConnection() {
-        WebServer webServer = plugin.getWebServer();
-        boolean webServerIsEnabled = webServer.isEnabled();
+        boolean webServerIsEnabled = WebServerSystem.isWebServerEnabled();
        boolean previousState = usingAnotherWebServer;

        try {
@ -350,6 +349,7 @@ public class BukkitInformationManager extends InformationManager {
        } finally {
            boolean changedState = previousState != usingAnotherWebServer;
            if (webServerIsEnabled && changedState) {
+                WebServer webServer = WebServerSystem.getInstance().getWebServer();
                webServer.stop();
                webServer.initServer();
            }
--- a/Plan/src/main/java/com/djrapitops/plan/systems/webserver/response/ForbiddenResponse.java
+++ b/Plan/src/main/java/com/djrapitops/plan/systems/webserver/response/ForbiddenResponse.java
@ -13,7 +13,7 @@ public class ForbiddenResponse extends ErrorResponse {
    }

    public ForbiddenResponse(String msg) {
-        super.setHeader("HTTP/1.1 404 Not Found");
+        super.setHeader("HTTP/1.1 403 Forbidden");
        super.setTitle("403 Forbidden - Access Denied");
        super.setParagraph(msg);
        super.replacePlaceholders();
--- a/Plan/src/main/java/com/djrapitops/plan/systems/webserver/webapi/bungee/RequestSetupWebAPI.java
+++ b/Plan/src/main/java/com/djrapitops/plan/systems/webserver/webapi/bungee/RequestSetupWebAPI.java
@ -1,4 +1,4 @@
-/* 
+/*
 * Licence is provided in the jar as license.yml also here:
 * https://github.com/Rsl1122/Plan-PlayerAnalytics/blob/master/Plan/src/main/resources/license.yml
 */
@ -13,6 +13,7 @@ import main.java.com.djrapitops.plan.PlanBungee;
 import main.java.com.djrapitops.plan.api.IPlan;
 import main.java.com.djrapitops.plan.api.exceptions.WebAPIException;
 import main.java.com.djrapitops.plan.systems.info.server.ServerInfo;
+import main.java.com.djrapitops.plan.systems.webserver.response.ForbiddenResponse;
 import main.java.com.djrapitops.plan.systems.webserver.response.Response;
 import main.java.com.djrapitops.plan.systems.webserver.webapi.WebAPI;

@ -31,6 +32,11 @@ public class RequestSetupWebAPI extends WebAPI {
        if (!Check.isBungeeAvailable()) {
            return badRequest("Called a Bukkit server.");
        }
+
+        if (!((PlanBungee) plugin).isSetupAllowed()) {
+            return new ForbiddenResponse("Setup mode disabled, use /planbungee setup to enable");
+        }
+
        String serverUUIDS = variables.get("sender");
        String webAddress = variables.get("webAddress");
        String accessCode = variables.get("accessKey");
@ -38,7 +44,8 @@ public class RequestSetupWebAPI extends WebAPI {
            return badRequest("Variable was null");
        }
        ServerInfo serverInfo = new ServerInfo(-1, UUID.fromString(serverUUIDS), "", webAddress, 0);
-        PlanBungee.getInstance().getServerInfoManager().attemptConnection(serverInfo, accessCode);
+
+        ((PlanBungee) plugin).getServerInfoManager().attemptConnection(serverInfo, accessCode);
        return success();
    }