From 811d65b68a21c7e0057712e5b438eae5cace5d56 Mon Sep 17 00:00:00 2001
From: ME1312 <admin@me1312.net>
Date: Mon, 15 Feb 2021 00:28:06 -0500
Subject: [PATCH] Secure the compatibility plugin

This commit moves the loadable section of the compatibility plugin to an anonymous class to prevent misuse of that section of code.
---
 SubServers.Bungee/common/pom.xml              |  4 +-
 SubServers.Bungee/pom.xml                     |  4 +-
 .../Bungee/Library/Compatibility/Plugin.java  | 54 +-----------------
 .../ME1312/SubServers/Bungee/SubProxy.java    | 56 ++++++++++++++++---
 SubServers.Client/Bukkit/pom.xml              |  2 +-
 SubServers.Client/Common/pom.xml              |  2 +-
 SubServers.Client/Sponge/pom.xml              |  2 +-
 SubServers.Host/pom.xml                       |  2 +-
 SubServers.Sync/pom.xml                       |  4 +-
 .../net/ME1312/SubServers/Sync/ExProxy.java   | 31 ++++++++--
 .../Sync/Library/Compatibility/Plugin.java    | 33 +----------
 11 files changed, 88 insertions(+), 106 deletions(-)

diff --git a/SubServers.Bungee/common/pom.xml b/SubServers.Bungee/common/pom.xml
index 1abde810..ccf78f6a 100644
--- a/SubServers.Bungee/common/pom.xml
+++ b/SubServers.Bungee/common/pom.xml
@@ -30,13 +30,13 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiEngine</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>provided</scope>
         </dependency>
     </dependencies>
diff --git a/SubServers.Bungee/pom.xml b/SubServers.Bungee/pom.xml
index 985f90c1..fb9b386e 100644
--- a/SubServers.Bungee/pom.xml
+++ b/SubServers.Bungee/pom.xml
@@ -30,14 +30,14 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiEngine</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
diff --git a/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/Library/Compatibility/Plugin.java b/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/Library/Compatibility/Plugin.java
index b566e337..b03a69be 100644
--- a/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/Library/Compatibility/Plugin.java
+++ b/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/Library/Compatibility/Plugin.java
@@ -1,61 +1,9 @@
 package net.ME1312.SubServers.Bungee.Library.Compatibility;
 
-import net.ME1312.Galaxi.Library.Callback.ExceptionRunnable;
-import net.ME1312.Galaxi.Library.Util;
-
-import net.md_5.bungee.api.ProxyServer;
-import net.md_5.bungee.api.plugin.PluginDescription;
-
-import java.io.File;
-
 public final class Plugin extends net.md_5.bungee.api.plugin.Plugin {
-    private static final PluginDescription description = new PluginDescription();
-    private final ExceptionRunnable enable;
-    private final Runnable disable;
-    private boolean enabled;
 
     @Deprecated
     public Plugin() {
-        enable = null;
-        disable = null;
-    }
-
-    private static PluginDescription describe() {
-        description.setName("SubServers-Bungee");
-        description.setMain(Plugin.class.getCanonicalName());
-        description.setFile(Util.getDespiteException(() -> new File(Plugin.class.getProtectionDomain().getCodeSource().getLocation().toURI()), null));
-        description.setVersion(net.ME1312.SubServers.Bungee.SubProxy.version.toString());
-        description.setAuthor("ME1312");
-        return description;
-    }
-
-    public Plugin(ProxyServer proxy, ExceptionRunnable enable, Runnable disable) {
-        super(proxy, describe());
-        this.enable = enable;
-        this.disable = disable;
-
-        // 2020 BungeeCord builds don't run init(), but future builds may uncomment that line. We wouldn't want to repeat ourselves.
-        if (getDescription() == null) Util.isException(() -> Util.reflect(net.md_5.bungee.api.plugin.Plugin.class.getDeclaredMethod("init", ProxyServer.class, PluginDescription.class), this, proxy, description));
-    }
-
-    @Override
-    public void onEnable() {
-        if (enable == null) {
-            throw new IllegalStateException("SubServers.Bungee does not run as a plugin, but a wrapper. For more information on how to install, please visit this page: https://github.com/ME1312/SubServers-2/wiki/Install");
-        } else try {
-            enabled = true;
-            enable.run();
-        } catch (Throwable e) {
-            e.printStackTrace();
-        }
-    }
-
-    public boolean isActive() {
-        return enabled;
-    }
-
-    @Override
-    public void onDisable() {
-        if (disable != null) disable.run();
+        throw new IllegalStateException("SubServers.Bungee does not run as a plugin, but a wrapper. For more information on how to install, please visit this page: https://github.com/ME1312/SubServers-2/wiki/Installation");
     }
 }
diff --git a/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/SubProxy.java b/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/SubProxy.java
index af5cef2b..0353e5a1 100644
--- a/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/SubProxy.java
+++ b/SubServers.Bungee/src/net/ME1312/SubServers/Bungee/SubProxy.java
@@ -20,7 +20,6 @@ import net.ME1312.SubServers.Bungee.Library.Compatibility.Galaxi.GalaxiCommand;
 import net.ME1312.SubServers.Bungee.Library.Compatibility.Galaxi.GalaxiEventListener;
 import net.ME1312.SubServers.Bungee.Library.Compatibility.LegacyServerMap;
 import net.ME1312.SubServers.Bungee.Library.Compatibility.Logger;
-import net.ME1312.SubServers.Bungee.Library.Compatibility.Plugin;
 import net.ME1312.SubServers.Bungee.Library.ConfigUpdater;
 import net.ME1312.SubServers.Bungee.Library.Exception.InvalidHostException;
 import net.ME1312.SubServers.Bungee.Library.Exception.InvalidServerException;
@@ -38,6 +37,7 @@ import com.google.gson.Gson;
 import net.md_5.bungee.BungeeServerInfo;
 import net.md_5.bungee.UserConnection;
 import net.md_5.bungee.api.ChatColor;
+import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.ServerPing;
 import net.md_5.bungee.api.chat.BaseComponent;
 import net.md_5.bungee.api.chat.TextComponent;
@@ -46,6 +46,8 @@ import net.md_5.bungee.api.config.ServerInfo;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
 import net.md_5.bungee.api.event.*;
 import net.md_5.bungee.api.plugin.Listener;
+import net.md_5.bungee.api.plugin.Plugin;
+import net.md_5.bungee.api.plugin.PluginDescription;
 import net.md_5.bungee.api.plugin.PluginManager;
 import net.md_5.bungee.connection.InitialHandler;
 import net.md_5.bungee.event.EventHandler;
@@ -62,7 +64,6 @@ import java.security.SecureRandom;
 import java.text.DecimalFormat;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
-import java.util.logging.Handler;
 
 /**
  * Main Plugin Class
@@ -97,6 +98,7 @@ public final class SubProxy extends BungeeCommon implements Listener {
     public final boolean isPatched;
     public final boolean isGalaxi;
     public long resetDate = 0;
+    private boolean pluginDeployed = false;
     private boolean running = false;
     private boolean reloading = false;
     private boolean posted = false;
@@ -239,14 +241,54 @@ public final class SubProxy extends BungeeCommon implements Listener {
         }, TimeUnit.DAYS.toMillis(7), TimeUnit.DAYS.toMillis(7));
 
         mProxy = new Proxy("(master)");
-
         api.addHostDriver(net.ME1312.SubServers.Bungee.Host.Internal.InternalHost.class, "virtual");
         api.addHostDriver(net.ME1312.SubServers.Bungee.Host.External.ExternalHost.class, "network");
 
-        plugin = Util.getDespiteException(() -> new Plugin(this, this::reload, this::shutdown), null);
-        if (plugin == null) Logger.get("SubServers").warning("Could not initialize plugin object emulation");
-        else Util.isException(() -> Util.<LinkedHashMap<String, net.md_5.bungee.api.plugin.Plugin>>reflect(PluginManager.class.getDeclaredField("plugins"), getPluginManager()).put(null, plugin));
+        {
+            PluginDescription description = new PluginDescription();
+            description.setName("SubServers-Bungee");
+            description.setMain(net.ME1312.SubServers.Bungee.Library.Compatibility.Plugin.class.getCanonicalName());
+            description.setFile(Util.getDespiteException(() -> new File(SubProxy.class.getProtectionDomain().getCodeSource().getLocation().toURI()), null));
+            description.setVersion(version.toString());
+            description.setAuthor("ME1312");
 
+            Plugin plugin = null;
+            String stage = "access";
+            try {
+                plugin = new Plugin(this, description) {
+                    @Override
+                    public void onEnable() {
+                        try {
+                            pluginDeployed = true;
+                            reload();
+                        } catch (Throwable e) {
+                            e.printStackTrace();
+                        }
+                    }
+
+                    @Override
+                    public void onDisable() {
+                        try {
+                            shutdown();
+                        } catch (Throwable e) {
+                            e.printStackTrace();
+                        }
+                    }
+                };
+
+                if (plugin.getDescription() == null) {
+                    stage = "initialize";
+                    Util.reflect(Plugin.class.getDeclaredMethod("init", ProxyServer.class, PluginDescription.class), plugin, this, description);
+                }
+
+                stage = "deploy";
+                Util.<Map<String, Plugin>>reflect(PluginManager.class.getDeclaredField("plugins"), getPluginManager()).put(null, plugin);
+            } catch (Throwable e) {
+                Logger.get("SubServers").warning("Could not " + stage + " plugin emulation");
+            } finally {
+                this.plugin = plugin;
+            }
+        }
         getPluginManager().registerListener(plugin, this);
 
         Logger.get("SubServers").info("Pre-Parsing Config...");
@@ -731,7 +773,7 @@ public final class SubProxy extends BungeeCommon implements Listener {
     @Override
     public void stopListeners() {
         if (running) {
-            if (plugin != null && plugin.isActive()) {
+            if (pluginDeployed) {
                 shutdown = !super.isRunning;
                 super.isRunning = true;
             }
diff --git a/SubServers.Client/Bukkit/pom.xml b/SubServers.Client/Bukkit/pom.xml
index ba03b1b8..2f89b623 100644
--- a/SubServers.Client/Bukkit/pom.xml
+++ b/SubServers.Client/Bukkit/pom.xml
@@ -48,7 +48,7 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
diff --git a/SubServers.Client/Common/pom.xml b/SubServers.Client/Common/pom.xml
index f2374845..ef7ff33e 100644
--- a/SubServers.Client/Common/pom.xml
+++ b/SubServers.Client/Common/pom.xml
@@ -20,7 +20,7 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
diff --git a/SubServers.Client/Sponge/pom.xml b/SubServers.Client/Sponge/pom.xml
index 2bf8ffb2..4dc6adb9 100644
--- a/SubServers.Client/Sponge/pom.xml
+++ b/SubServers.Client/Sponge/pom.xml
@@ -30,7 +30,7 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
diff --git a/SubServers.Host/pom.xml b/SubServers.Host/pom.xml
index 62957ece..93b9612a 100644
--- a/SubServers.Host/pom.xml
+++ b/SubServers.Host/pom.xml
@@ -20,7 +20,7 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiEngine</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
diff --git a/SubServers.Sync/pom.xml b/SubServers.Sync/pom.xml
index 751fde48..31b5ca8e 100644
--- a/SubServers.Sync/pom.xml
+++ b/SubServers.Sync/pom.xml
@@ -30,14 +30,14 @@
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiUtil</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>net.ME1312.Galaxi</groupId>
             <artifactId>GalaxiEngine</artifactId>
-            <version>21w07e</version>
+            <version>21w08a</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
diff --git a/SubServers.Sync/src/net/ME1312/SubServers/Sync/ExProxy.java b/SubServers.Sync/src/net/ME1312/SubServers/Sync/ExProxy.java
index d64024e2..3cf4df71 100644
--- a/SubServers.Sync/src/net/ME1312/SubServers/Sync/ExProxy.java
+++ b/SubServers.Sync/src/net/ME1312/SubServers/Sync/ExProxy.java
@@ -11,7 +11,6 @@ import net.ME1312.SubData.Client.DataClient;
 import net.ME1312.SubData.Client.Encryption.AES;
 import net.ME1312.SubData.Client.Encryption.DHE;
 import net.ME1312.SubData.Client.Encryption.RSA;
-import net.ME1312.SubData.Client.Library.DataSize;
 import net.ME1312.SubData.Client.Library.DisconnectReason;
 import net.ME1312.SubData.Client.SubDataClient;
 import net.ME1312.SubServers.Bungee.BungeeCommon;
@@ -20,7 +19,6 @@ import net.ME1312.SubServers.Bungee.Library.Compatibility.Logger;
 import net.ME1312.SubServers.Bungee.Library.Fallback.FallbackState;
 import net.ME1312.SubServers.Bungee.Library.Fallback.SmartFallback;
 import net.ME1312.SubServers.Sync.Event.*;
-import net.ME1312.SubServers.Sync.Library.Compatibility.Plugin;
 import net.ME1312.SubServers.Sync.Library.ConfigUpdater;
 import net.ME1312.SubServers.Sync.Library.Metrics;
 import net.ME1312.SubServers.Sync.Network.Packet.PacketDisconnectPlayer;
@@ -35,6 +33,7 @@ import com.google.gson.Gson;
 import net.md_5.bungee.BungeeServerInfo;
 import net.md_5.bungee.UserConnection;
 import net.md_5.bungee.api.ChatColor;
+import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.ServerPing;
 import net.md_5.bungee.api.chat.BaseComponent;
 import net.md_5.bungee.api.chat.TextComponent;
@@ -43,6 +42,8 @@ import net.md_5.bungee.api.config.ServerInfo;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
 import net.md_5.bungee.api.event.*;
 import net.md_5.bungee.api.plugin.Listener;
+import net.md_5.bungee.api.plugin.Plugin;
+import net.md_5.bungee.api.plugin.PluginDescription;
 import net.md_5.bungee.connection.InitialHandler;
 import net.md_5.bungee.event.EventHandler;
 
@@ -129,9 +130,31 @@ public final class ExProxy extends BungeeCommon implements Listener {
         subprotocol.registerCipher("DHE-192", DHE.get(192));
         subprotocol.registerCipher("DHE-256", DHE.get(256));
 
-        plugin = Util.getDespiteException(() -> new Plugin(this), null);
-        if (plugin == null) Logger.get("SubServers").warning("Could not initialize plugin object emulation");
+        {
+            PluginDescription description = new PluginDescription();
+            description.setName("SubServers-Sync");
+            description.setMain(net.ME1312.SubServers.Sync.Library.Compatibility.Plugin.class.getCanonicalName());
+            description.setFile(Util.getDespiteException(() -> new File(ExProxy.class.getProtectionDomain().getCodeSource().getLocation().toURI()), null));
+            description.setVersion(version.toString());
+            description.setAuthor("ME1312");
 
+            String stage = "access";
+            Plugin plugin = null;
+            try {
+                plugin = new Plugin(this, description) {
+                    // SubServers.Sync doesn't deploy code here at this time.
+                };
+
+                if (plugin.getDescription() == null) {
+                    stage = "initialize";
+                    Util.reflect(Plugin.class.getDeclaredMethod("init", ProxyServer.class, PluginDescription.class), plugin, this, description);
+                }
+            } catch (Throwable e) {
+                Logger.get("SubServers").warning("Could not " + stage + " plugin emulation");
+            } finally {
+                this.plugin = plugin;
+            }
+        }
         getPluginManager().registerListener(plugin, this);
 
         Logger.get("SubServers").info("Loading BungeeCord Libraries...");
diff --git a/SubServers.Sync/src/net/ME1312/SubServers/Sync/Library/Compatibility/Plugin.java b/SubServers.Sync/src/net/ME1312/SubServers/Sync/Library/Compatibility/Plugin.java
index a896e56f..66eb3dec 100644
--- a/SubServers.Sync/src/net/ME1312/SubServers/Sync/Library/Compatibility/Plugin.java
+++ b/SubServers.Sync/src/net/ME1312/SubServers/Sync/Library/Compatibility/Plugin.java
@@ -1,40 +1,9 @@
 package net.ME1312.SubServers.Sync.Library.Compatibility;
 
-import net.ME1312.Galaxi.Library.Util;
-
-import net.md_5.bungee.api.ProxyServer;
-import net.md_5.bungee.api.plugin.PluginDescription;
-
-import java.io.File;
-
 public final class Plugin extends net.md_5.bungee.api.plugin.Plugin {
-    private static final PluginDescription description = new PluginDescription();
-    private final boolean invalid;
 
     @Deprecated
     public Plugin() {
-        this.invalid = true;
-    }
-
-    private static PluginDescription describe() {
-        description.setName("SubServers-Sync");
-        description.setMain(Plugin.class.getCanonicalName());
-        description.setFile(Util.getDespiteException(() -> new File(Plugin.class.getProtectionDomain().getCodeSource().getLocation().toURI()), null));
-        description.setVersion(net.ME1312.SubServers.Sync.ExProxy.version.toString());
-        description.setAuthor("ME1312");
-        return description;
-    }
-
-    public Plugin(ProxyServer proxy) {
-        super(proxy, describe());
-        this.invalid = false;
-
-        // 2020 BungeeCord builds don't run init(), but future builds may uncomment that line. We wouldn't want to repeat ourselves.
-        if (getDescription() == null) Util.isException(() -> Util.reflect(net.md_5.bungee.api.plugin.Plugin.class.getDeclaredMethod("init", ProxyServer.class, PluginDescription.class), this, proxy, description));
-    }
-
-    @Override
-    public void onEnable() {
-        if (invalid) throw new IllegalStateException("SubServers.Sync does not run as a plugin, but a wrapper. For more information on how to install, please visit this page: https://github.com/ME1312/SubServers-2/wiki/Install");
+        throw new IllegalStateException("SubServers.Sync does not run as a plugin, but a wrapper. For more information on how to install, please visit this page: https://github.com/ME1312/SubServers-2/wiki/Installation");
     }
 }