Arbitrary code execution is very dangerous. Limit to debug mode.
The filter command allows users with sufficient permission (or OPs) to execute arbitrary JavaScript (no sandboxing). This is fine for a debug and testing, but could potentially be exploited in a production environment. Instead, we disable this command by default and force users to enable it specifically in the configuration file (not through commands). If someone has access to the config.yml file, they probably also have access to the plugins/ folder and thus the ability to install plugins with arbitrary code execution as well.
Dieser Commit ist enthalten in:
Ursprung
15980d70fb
Commit
3ee38d7b6d
@ -221,12 +221,16 @@ public class CommandFilter extends CommandBase {
|
|||||||
// Owner plugin
|
// Owner plugin
|
||||||
private final Plugin plugin;
|
private final Plugin plugin;
|
||||||
|
|
||||||
|
// Whether or not the command is enabled
|
||||||
|
private ProtocolConfig config;
|
||||||
|
|
||||||
// Script engine
|
// Script engine
|
||||||
private ScriptEngine engine;
|
private ScriptEngine engine;
|
||||||
|
|
||||||
public CommandFilter(ErrorReporter reporter, Plugin plugin) {
|
public CommandFilter(ErrorReporter reporter, Plugin plugin, ProtocolConfig config) {
|
||||||
super(reporter, CommandBase.PERMISSION_ADMIN, NAME, 2);
|
super(reporter, CommandBase.PERMISSION_ADMIN, NAME, 2);
|
||||||
this.plugin = plugin;
|
this.plugin = plugin;
|
||||||
|
this.config = config;
|
||||||
|
|
||||||
// Start the engine
|
// Start the engine
|
||||||
initalizeScript();
|
initalizeScript();
|
||||||
@ -264,13 +268,18 @@ public class CommandFilter extends CommandBase {
|
|||||||
// Pass!
|
// Pass!
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Description: Adds or removes a simple packet listener.
|
* Description: Adds or removes a simple packet listener.
|
||||||
Usage: /<command> add|remove name [packet IDs]
|
Usage: /<command> add|remove name [packet IDs]
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
protected boolean handleCommand(CommandSender sender, String[] args) {
|
protected boolean handleCommand(CommandSender sender, String[] args) {
|
||||||
|
if (!config.isDebug()) {
|
||||||
|
sender.sendMessage(ChatColor.RED + "Debug mode must be enabled in the configuration first!");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
final SubCommand command = parseCommand(args, 0);
|
final SubCommand command = parseCommand(args, 0);
|
||||||
final String name = args[1];
|
final String name = args[1];
|
||||||
|
|
||||||
|
@ -40,6 +40,8 @@ class ProtocolConfig {
|
|||||||
private static final String IGNORE_VERSION_CHECK = "ignore version check";
|
private static final String IGNORE_VERSION_CHECK = "ignore version check";
|
||||||
private static final String BACKGROUND_COMPILER_ENABLED = "background compiler";
|
private static final String BACKGROUND_COMPILER_ENABLED = "background compiler";
|
||||||
|
|
||||||
|
private static final String DEBUG_MODE_ENABLED = "debug";
|
||||||
|
|
||||||
private static final String INJECTION_METHOD = "injection method";
|
private static final String INJECTION_METHOD = "injection method";
|
||||||
|
|
||||||
private static final String UPDATER_NOTIFY = "notify";
|
private static final String UPDATER_NOTIFY = "notify";
|
||||||
@ -140,6 +142,24 @@ class ProtocolConfig {
|
|||||||
public void setAutoDownload(boolean value) {
|
public void setAutoDownload(boolean value) {
|
||||||
updater.set(UPDATER_DOWNLAD, value);
|
updater.set(UPDATER_DOWNLAD, value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine whether or not debug mode is enabled.
|
||||||
|
* <p>
|
||||||
|
* This grants access to the filter command.
|
||||||
|
* @return TRUE if it is, FALSE otherwise.
|
||||||
|
*/
|
||||||
|
public boolean isDebug() {
|
||||||
|
return global.getBoolean(DEBUG_MODE_ENABLED, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set whether or not debug mode is enabled.
|
||||||
|
* @param value - TRUE if it is enabled, FALSE otherwise.
|
||||||
|
*/
|
||||||
|
public void setDebug(boolean value) {
|
||||||
|
global.set(DEBUG_MODE_ENABLED, value);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieve the amount of time to wait until checking for a new update.
|
* Retrieve the amount of time to wait until checking for a new update.
|
||||||
|
@ -130,6 +130,11 @@ public class ProtocolLibrary extends JavaPlugin {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Print the state of the debug mode
|
||||||
|
if (config.isDebug()) {
|
||||||
|
logger.warning("Debug mode is enabled!");
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Check for other versions
|
// Check for other versions
|
||||||
checkConflictingVersions();
|
checkConflictingVersions();
|
||||||
@ -162,7 +167,7 @@ public class ProtocolLibrary extends JavaPlugin {
|
|||||||
|
|
||||||
// Initialize command handlers
|
// Initialize command handlers
|
||||||
commandProtocol = new CommandProtocol(detailedReporter, this, updater, config);
|
commandProtocol = new CommandProtocol(detailedReporter, this, updater, config);
|
||||||
commandFilter = new CommandFilter(detailedReporter, this);
|
commandFilter = new CommandFilter(detailedReporter, this, config);
|
||||||
commandPacket = new CommandPacket(detailedReporter, this, logger, commandFilter, protocolManager);
|
commandPacket = new CommandPacket(detailedReporter, this, logger, commandFilter, protocolManager);
|
||||||
|
|
||||||
// Send logging information to player listeners too
|
// Send logging information to player listeners too
|
||||||
|
@ -18,4 +18,7 @@ global:
|
|||||||
ignore version check:
|
ignore version check:
|
||||||
|
|
||||||
# Override the starting injecting method
|
# Override the starting injecting method
|
||||||
injection method:
|
injection method:
|
||||||
|
|
||||||
|
# Whether or not to enable the filter command
|
||||||
|
debug: false
|
In neuem Issue referenzieren
Einen Benutzer sperren