Add security warning.
This commit is contained in:
Daniel Scalzi
@@ -5,6 +5,8 @@ import { Artifact } from 'helios-distribution-types'
|
||||
import { RepoStructure } from '../../structure/repo/Repo.struct'
|
||||
import { BaseResolver } from '../baseresolver'
|
||||
import { MinecraftVersion } from '../../util/MinecraftVersion'
|
||||
import { VersionUtil } from '../../util/versionutil'
|
||||
import { LoggerUtil } from '../../util/LoggerUtil'
|
||||
|
||||
export abstract class ForgeResolver extends BaseResolver {
|
||||
|
||||
@@ -26,6 +28,65 @@ export abstract class ForgeResolver extends BaseResolver {
|
||||
super(absoluteRoot, relativeRoot, baseUrl)
|
||||
this.repoStructure = new RepoStructure(absoluteRoot, relativeRoot)
|
||||
this.artifactVersion = this.inferArtifactVersion()
|
||||
this.checkSecurity()
|
||||
}
|
||||
|
||||
public checkSecurity(): void {
|
||||
const major = this.minecraftVersion.getMajor()
|
||||
const minor = this.minecraftVersion.getMinor()
|
||||
|
||||
// https://github.com/apache/logging-log4j2/pull/608
|
||||
// https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
|
||||
// https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
|
||||
// https://twitter.com/gigaherz/status/1469331288368861195
|
||||
|
||||
const patchMatrix: { [major: number]: string } = {
|
||||
18: '38.0.17',
|
||||
17: '37.1.1',
|
||||
16: '36.2.20',
|
||||
15: '31.2.56',
|
||||
14: '28.2.25',
|
||||
13: '25.0.222',
|
||||
12: '14.23.5.2857'
|
||||
}
|
||||
|
||||
const isVUlnerable = major == 1 && (minor <= 18 && minor >= 7)
|
||||
const hasPatch = major == 1 && minor >= 12
|
||||
let unsafe
|
||||
|
||||
if(isVUlnerable) {
|
||||
if(hasPatch) {
|
||||
unsafe = !VersionUtil.versionGte(this.forgeVersion, patchMatrix[minor])
|
||||
} else {
|
||||
unsafe = true
|
||||
}
|
||||
}
|
||||
|
||||
if(unsafe) {
|
||||
|
||||
const logger = LoggerUtil.getLogger('ForgeSecurity')
|
||||
|
||||
logger.error('==================================================================')
|
||||
logger.error(' WARNING ')
|
||||
logger.error(' This version of Forge is vulnerable to a CRITICAL RCE exploit. ')
|
||||
logger.error(' DO NOT USE THIS VERSION! ')
|
||||
if(hasPatch) {
|
||||
logger.error(` A patch is available as of Minecraft Forge v${patchMatrix[minor]} `)
|
||||
}
|
||||
else {
|
||||
logger.error(' There is no patch available for this version. ')
|
||||
}
|
||||
logger.error('==================================================================')
|
||||
|
||||
logger.error('To abort, use CTRL + C.')
|
||||
logger.error('Nebula will proceed in 15 seconds..')
|
||||
const target = new Date().getTime() + (15*1000)
|
||||
while(new Date().getTime() <= target) {
|
||||
// Wait
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Coverage is not 100% but that doesnt matter.
|
||||
|
||||
@@ -100,6 +100,8 @@ export class ServerStructure extends BaseModelStructure<Server> {
|
||||
const relativeServerRoot = join(this.relativeRoot, file)
|
||||
if ((await lstat(absoluteServerRoot)).isDirectory()) {
|
||||
|
||||
this.logger.info(`Beginning processing of ${file}.`)
|
||||
|
||||
const match = this.ID_REGEX.exec(file)
|
||||
if (match == null) {
|
||||
this.logger.warn(`Server directory ${file} does not match the defined standard.`)
|
||||
|
||||
@@ -67,4 +67,22 @@ export class VersionUtil {
|
||||
return version
|
||||
}
|
||||
|
||||
public static versionGte(version: string, min: string): boolean {
|
||||
|
||||
const left = version.split('.').map(x => Number(x))
|
||||
const right = min.split('.').map(x => Number(x))
|
||||
|
||||
if(left.length != right.length) {
|
||||
throw new Error('Cannot compare mismatched versions.')
|
||||
}
|
||||
|
||||
for(let i=0; i<left.length; i++) {
|
||||
if(left[i] < right[i]) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user