Add security warning.

2021-12-10 16:11:39 -05:00
parent e97ac9bfad
commit 640f3f0507
5 changed files with 343 additions and 329 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -28,29 +28,29 @@
  "homepage": "https://github.com/dscalzi/Nebula#readme",
  "devDependencies": {
    "@types/fs-extra": "^9.0.13",
-    "@types/luxon": "^2.0.5",
+    "@types/luxon": "^2.0.7",
    "@types/minimatch": "^3.0.5",
-    "@types/node": "^16.11.6",
+    "@types/node": "^16.11.12",
    "@types/triple-beam": "^1.3.2",
-    "@types/yargs": "^17.0.3",
-    "@typescript-eslint/eslint-plugin": "^5.2.0",
-    "@typescript-eslint/parser": "^5.2.0",
-    "eslint": "^8.1.0",
+    "@types/yargs": "^17.0.7",
+    "@typescript-eslint/eslint-plugin": "^5.6.0",
+    "@typescript-eslint/parser": "^5.6.0",
+    "eslint": "^8.4.1",
    "rimraf": "^3.0.2",
-    "typescript": "^4.4.4"
+    "typescript": "^4.5.3"
  },
  "dependencies": {
    "dotenv": "^10.0.0",
    "fs-extra": "^10.0.0",
-    "got": "^11.8.2",
+    "got": "^11.8.3",
    "helios-distribution-types": "^1.0.0-rc.2",
-    "luxon": "^2.0.2",
+    "luxon": "^2.2.0",
    "minimatch": "^3.0.4",
    "node-stream-zip": "^1.15.0",
    "toml": "^3.0.0",
    "triple-beam": "^1.3.0",
-    "ts-json-schema-generator": "^0.96.0",
+    "ts-json-schema-generator": "^0.97.0",
    "winston": "^3.3.3",
-    "yargs": "^17.2.1"
+    "yargs": "^17.3.0"
  }
 }
--- a/src/resolver/forge/forge.resolver.ts
+++ b/src/resolver/forge/forge.resolver.ts
@@ -5,6 +5,8 @@ import { Artifact } from 'helios-distribution-types'
 import { RepoStructure } from '../../structure/repo/Repo.struct'
 import { BaseResolver } from '../baseresolver'
 import { MinecraftVersion } from '../../util/MinecraftVersion'
+import { VersionUtil } from '../../util/versionutil'
+import { LoggerUtil } from '../../util/LoggerUtil'

 export abstract class ForgeResolver extends BaseResolver {

@@ -26,6 +28,65 @@ export abstract class ForgeResolver extends BaseResolver {
        super(absoluteRoot, relativeRoot, baseUrl)
        this.repoStructure = new RepoStructure(absoluteRoot, relativeRoot)
        this.artifactVersion = this.inferArtifactVersion()
+        this.checkSecurity()
+    }
+
+    public checkSecurity(): void {
+        const major = this.minecraftVersion.getMajor()
+        const minor = this.minecraftVersion.getMinor()
+
+        // https://github.com/apache/logging-log4j2/pull/608
+        // https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
+        // https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
+        // https://twitter.com/gigaherz/status/1469331288368861195
+
+        const patchMatrix: { [major: number]: string } = {
+            18: '38.0.17',
+            17: '37.1.1',
+            16: '36.2.20',
+            15: '31.2.56',
+            14: '28.2.25',
+            13: '25.0.222',
+            12: '14.23.5.2857'
+        }
+
+        const isVUlnerable = major == 1 && (minor <= 18 && minor >= 7)
+        const hasPatch = major == 1 && minor >= 12
+        let unsafe
+
+        if(isVUlnerable) {
+            if(hasPatch) {
+                unsafe = !VersionUtil.versionGte(this.forgeVersion, patchMatrix[minor])
+            } else {
+                unsafe = true
+            }
+        }
+
+        if(unsafe) {
+
+            const logger = LoggerUtil.getLogger('ForgeSecurity')
+
+            logger.error('==================================================================')
+            logger.error('                           WARNING                                ')
+            logger.error('  This version of Forge is vulnerable to a CRITICAL RCE exploit.  ')
+            logger.error('                    DO NOT USE THIS VERSION!                      ')
+            if(hasPatch) {
+                logger.error(`     A patch is available as of Minecraft Forge v${patchMatrix[minor]}       `)
+            }
+            else {
+                logger.error('         There is no patch available for this version.            ')
+            }
+            logger.error('==================================================================')
+
+            logger.error('To abort, use CTRL + C.')
+            logger.error('Nebula will proceed in 15 seconds..')
+            const target = new Date().getTime() + (15*1000)
+            while(new Date().getTime() <= target) {
+                // Wait
+            }
+
+        }
+
    }

    // Coverage is not 100% but that doesnt matter.
--- a/src/structure/spec_model/Server.struct.ts
+++ b/src/structure/spec_model/Server.struct.ts
@@ -100,6 +100,8 @@ export class ServerStructure extends BaseModelStructure<Server> {
            const relativeServerRoot = join(this.relativeRoot, file)
            if ((await lstat(absoluteServerRoot)).isDirectory()) {

+                this.logger.info(`Beginning processing of ${file}.`)
+
                const match = this.ID_REGEX.exec(file)
                if (match == null) {
                    this.logger.warn(`Server directory ${file} does not match the defined standard.`)
--- a/src/util/versionutil.ts
+++ b/src/util/versionutil.ts
@@ -67,4 +67,22 @@ export class VersionUtil {
        return version
    }

+    public static versionGte(version: string, min: string): boolean {
+
+        const left = version.split('.').map(x => Number(x))
+        const right = min.split('.').map(x => Number(x))
+
+        if(left.length != right.length) {
+            throw new Error('Cannot compare mismatched versions.')
+        }
+
+        for(let i=0; i<left.length; i++) {
+            if(left[i] < right[i]) {
+                return false
+            }
+        }
+
+        return true
+    }
+
 }