feat: Vulnerable expansions checker
This commit is contained in:
parent
1f57f97c21
commit
a8bbfc2566
|
@ -57,6 +57,13 @@ public final class PlaceholderAPIConfig {
|
|||
return plugin.getConfig().getBoolean("debug", false);
|
||||
}
|
||||
|
||||
public boolean checkVulnerableExpansions() {
|
||||
return plugin.getConfig().getBoolean("check_vulnerable_expansions");
|
||||
}
|
||||
|
||||
public boolean preventVulnerableExpansions() {
|
||||
return plugin.getConfig().getBoolean("prevent_vulnerable_expansions");
|
||||
}
|
||||
|
||||
public Optional<ExpansionSort> getExpansionSort() {
|
||||
final String option = plugin.getConfig()
|
||||
|
@ -90,4 +97,5 @@ public final class PlaceholderAPIConfig {
|
|||
return plugin.getConfig().getString("boolean.false", "false");
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -38,6 +38,8 @@ import java.util.concurrent.CompletionException;
|
|||
import java.util.concurrent.ConcurrentHashMap;
|
||||
import java.util.concurrent.locks.ReentrantLock;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import me.clip.placeholderapi.PlaceholderAPI;
|
||||
import me.clip.placeholderapi.PlaceholderAPIPlugin;
|
||||
import me.clip.placeholderapi.events.ExpansionRegisterEvent;
|
||||
import me.clip.placeholderapi.events.ExpansionUnregisterEvent;
|
||||
|
@ -52,6 +54,7 @@ import me.clip.placeholderapi.expansion.cloud.CloudExpansion;
|
|||
import me.clip.placeholderapi.util.FileUtil;
|
||||
import me.clip.placeholderapi.util.Futures;
|
||||
import me.clip.placeholderapi.util.Msg;
|
||||
import me.clip.placeholderapi.util.ValidateUtil;
|
||||
import org.bukkit.Bukkit;
|
||||
import org.bukkit.command.CommandSender;
|
||||
import org.bukkit.configuration.file.FileConfiguration;
|
||||
|
@ -175,11 +178,20 @@ public final class LocalExpansionManager implements Listener {
|
|||
if(expansion == null){
|
||||
return Optional.empty();
|
||||
}
|
||||
|
||||
|
||||
Objects.requireNonNull(expansion.getAuthor(), "The expansion author is null!");
|
||||
Objects.requireNonNull(expansion.getIdentifier(), "The expansion identifier is null!");
|
||||
Objects.requireNonNull(expansion.getVersion(), "The expansion version is null!");
|
||||
|
||||
|
||||
if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().checkVulnerableExpansions() && ValidateUtil.checkExpansion(expansion)) {
|
||||
Msg.warn("Warning expansion %s contains a security vulnerability!", expansion.getIdentifier());
|
||||
Msg.warn("Please update or remove it to prevent security issues.");
|
||||
Msg.warn("If you think this is an error, disable this warning at config.yml.");
|
||||
if(PlaceholderAPIPlugin.getInstance().getPlaceholderAPIConfig().preventVulnerableExpansions()) {
|
||||
return Optional.empty();
|
||||
}
|
||||
}
|
||||
|
||||
if (expansion.getRequiredPlugin() != null && !expansion.getRequiredPlugin().isEmpty()) {
|
||||
if (!Bukkit.getPluginManager().isPluginEnabled(expansion.getRequiredPlugin())) {
|
||||
Msg.warn("Cannot load expansion %s due to a missing plugin: %s", expansion.getIdentifier(),
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
/*
|
||||
* This file is part of PlaceholderAPI
|
||||
*
|
||||
* PlaceholderAPI
|
||||
* Copyright (c) 2015 - 2021 PlaceholderAPI Team
|
||||
*
|
||||
* PlaceholderAPI free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* PlaceholderAPI is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
package me.clip.placeholderapi.util;
|
||||
|
||||
import me.clip.placeholderapi.expansion.PlaceholderExpansion;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
public class ValidateUtil {
|
||||
|
||||
private static final List<String> vulnerableExpansions = Arrays.asList(
|
||||
"JavaScript",
|
||||
"StaffFacilities",
|
||||
"Groopi",
|
||||
"Minepacks",
|
||||
"fetch",
|
||||
"Spigotlobby"
|
||||
);
|
||||
|
||||
private static final List<String> expansionVersions = Arrays.asList(
|
||||
"2.1.2",
|
||||
"1.4.4",
|
||||
"ALL",
|
||||
"1.0.7",
|
||||
"ALL",
|
||||
"ALL"
|
||||
);
|
||||
|
||||
public static boolean checkExpansion(final PlaceholderExpansion expansion) {
|
||||
final String expansionName = expansion.getIdentifier();
|
||||
if(!vulnerableExpansions.contains(expansionName)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
final String expansionVersion = expansionVersions.get(vulnerableExpansions.indexOf(expansionName));
|
||||
return expansionVersion.equals("ALL") || !expansionVersion.equals(expansion.getVersion());
|
||||
}
|
||||
}
|
|
@ -12,6 +12,8 @@ check_updates: true
|
|||
cloud_enabled: true
|
||||
cloud_sorting: "name"
|
||||
cloud_allow_unverified_expansions: false
|
||||
check_vulnerable_expansions: true
|
||||
prevent_vulnerable_expansions: true
|
||||
boolean:
|
||||
'true': 'yes'
|
||||
'false': 'no'
|
||||
|
|
Loading…
Reference in New Issue