- Fixed SQL-injection vulnerability in an endpoint
- Fixed XSS on Whitelist deny 403 page
- Fixed XSS on Internal Error 500 page if untrusted data ends up in exception message
MySQL breaks GROUP BY syntax of standard SQL, and allows arbitrary columns with aggregate functions.
The ONLY_FULL_GROUP_BY stops this, instead raising an error. Since the SQL was originally designed
with this mode on, restricting the SQL broke the code in a few places.
Adding the extra group by clauses solves the issue without effecting query results.
These issues will be caught by MySQLTest in the future, since the issues could be reproduced by
enabling ONLY_FULL_GROUP_BY mode.
Affects issues:
- Fixed#2619
* Optimized network ping table query
* Removed icon id selection subqueries
- Take the icon ID into memory when the icons are stored
* Fix typos in the optimized ping table query
* Optimize server ping table query
* Attempt to optimize /v1/servers tps data query
* Optimize ping and geolocations tables uuid -> user_id foreign key
* Prevent Plan from crashing if patching takes too long
- HikariCP auto commit was true for some reason even though all transactions have commit mechanism built-in.
- The setting was reset during connection recreation and that could cause an index out of bounds error.
* Reduce try-nesting in ExecStatement
* Use user_id and server_id instead of uuid for plan_world_times table
* Use user_id and server_id instead of uuid for plan_sessions and plan_user_info table
* Fix more issues and test queries used by Query Filters
* Use deferRender for data tables to load data into the table faster
* Swap uuids to user ids for query page filters
Fixes an issue where SQL is too big to execute
Affects issues:
- #2196
* Wrote a query and utility for getting server uptime
* Added current_uptime to json endpoints
* Load current uptime on the website
* Moved nukkit repo to nukkit module
* Added equals and hashcode to QueryStatement and QueryAPIQuery
* Remove dependency on codemc repository
Affects issues:
- Close#1845
* Fixed disk medium threshold not showing color
* Added 'serverName' and 'serverUUID' to optimizedPerformance endpoint
* Added /v1/network/listServers endpoint
* Added /v1/network/performanceOverview?servers endpoint
* Hide negative values from performance graphs
* Allow json cache bypass by not providing timestamp parameter in URIQuery
* Ignore negative values in low tps spike count
* Added (Unavailable with Export) to exported network html performance tab title
Affects issues:
- Close#1693
One bypass was discovered for detecting who has played on a server, where
403 is given for level 2 when user has played and 400 when they have not.
This was fixed.
One 500 error was discovered when the network has no proxy server, /v1/network/servers
ran into NullPointerException in a query.
- Split Session into ActiveSession and FinishedSession, replaced their usage
- Replaced UUID with ServerUUID when the data type
Affects issues:
- Close#1746
Because of the new resolution reduction the gap algorithm was not
advanced enough to differentiate between lower resolution and missing data.
This was fixed by adding 3 different Gap strategies for the different
resolutions
Reduced resolution of data:
- Last 30 days: Full resolution (1 per minute)
- Last 60 - 30 days: 1 per 5 minutes
- 60+ days old: 1 per 20 minutes
Effect:
- Reduced /v1/graphs?type=performance size from 21 MB to 9.15 MB (126k rows in database)
Added new endpoint /v1/graphs?type=optimizedPerformance that doesn't parse series separately
- Sends a single array of arrays instead of one array for each series
- Added a parseDataSeries to graphs.js that translates the data
Effect:
- Reduced from 9.15 MB to 3.35 MB
- Moved some workload to the browser
Affects issues:
- Fixed#1622
- Some extension API implementation things refactored
- getOrDefault+put calls replaced with computeIfAbsent
using Maps#create, Lists#create
- stream().map(mapper).collect(toList/toSet) optimized
using Lists#map, #mapUnique
- stream().filter(by).collect(toList) optimized
using Lists#filter
Reason: Parse means extracting information - In many cases the word was being
used wrong (In Finnish 'parsia' means 'to patch together', which caused
the wrong use)
The word 'parse' replaced with 'build', 'create' or 'generate' where appropriate
- Fixed possible null issues with NicknameCache
- Removed bunch of unused code, such as:
- Point reduction algorithm implementations
- HighCharts data String parsing methods
- Unused Mutators
- Unused AnalysisKeys
- Leftovers from ConnectionSystem (Response codes)
- Unused queries (Leftovers from Server box and Players table queries)
- rendering.html.icon.Icons
- Made bunch of fields final
Note that old deprecated API classes do not have signature changes.
MySQL that restricts float being queried with getLong caused an
SQLException
All usages of getLong with AVG function replaced with
getDouble cast to long.
Affects issues:
- Fixed#1181
Aurora Lahtela
Rsl1122
Rsl1122