Exclude org/apache/logging/log4j/core/lookup/JndiLookup.class entirely

It's the one sure-fire way to prevent further exploits using JNDI through Log4j.
2024-11-16 21:10:30 +01:00 · 2021-12-14 19:37:37 -05:00 · 2021-12-14 19:37:37 -05:00 · fd842c4364
Commit fd842c4364
--- a/proxy/build.gradle
+++ b/proxy/build.gradle
@ -153,6 +153,9 @@ shadowJar {
    // Exclude Checker Framework annotations
    exclude 'org/checkerframework/checker/**'

+    // Exclude a Log4j class well-known for its use in recent security exploits.
+    exclude 'org/apache/logging/log4j/core/lookup/JndiLookup.class'
+
    relocate 'org.bstats', 'com.velocitypowered.proxy.bstats'
 }