Add security warning.

2021-12-10 16:11:39 -05:00
parent e97ac9bfad
commit 640f3f0507
5 changed files with 343 additions and 329 deletions
--- a/src/resolver/forge/forge.resolver.ts
+++ b/src/resolver/forge/forge.resolver.ts
@@ -5,6 +5,8 @@ import { Artifact } from 'helios-distribution-types'
 import { RepoStructure } from '../../structure/repo/Repo.struct'
 import { BaseResolver } from '../baseresolver'
 import { MinecraftVersion } from '../../util/MinecraftVersion'
+import { VersionUtil } from '../../util/versionutil'
+import { LoggerUtil } from '../../util/LoggerUtil'

 export abstract class ForgeResolver extends BaseResolver {

@@ -26,6 +28,65 @@ export abstract class ForgeResolver extends BaseResolver {
        super(absoluteRoot, relativeRoot, baseUrl)
        this.repoStructure = new RepoStructure(absoluteRoot, relativeRoot)
        this.artifactVersion = this.inferArtifactVersion()
+        this.checkSecurity()
+    }
+
+    public checkSecurity(): void {
+        const major = this.minecraftVersion.getMajor()
+        const minor = this.minecraftVersion.getMinor()
+
+        // https://github.com/apache/logging-log4j2/pull/608
+        // https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
+        // https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
+        // https://twitter.com/gigaherz/status/1469331288368861195
+
+        const patchMatrix: { [major: number]: string } = {
+            18: '38.0.17',
+            17: '37.1.1',
+            16: '36.2.20',
+            15: '31.2.56',
+            14: '28.2.25',
+            13: '25.0.222',
+            12: '14.23.5.2857'
+        }
+
+        const isVUlnerable = major == 1 && (minor <= 18 && minor >= 7)
+        const hasPatch = major == 1 && minor >= 12
+        let unsafe
+
+        if(isVUlnerable) {
+            if(hasPatch) {
+                unsafe = !VersionUtil.versionGte(this.forgeVersion, patchMatrix[minor])
+            } else {
+                unsafe = true
+            }
+        }
+
+        if(unsafe) {
+
+            const logger = LoggerUtil.getLogger('ForgeSecurity')
+
+            logger.error('==================================================================')
+            logger.error('                           WARNING                                ')
+            logger.error('  This version of Forge is vulnerable to a CRITICAL RCE exploit.  ')
+            logger.error('                    DO NOT USE THIS VERSION!                      ')
+            if(hasPatch) {
+                logger.error(`     A patch is available as of Minecraft Forge v${patchMatrix[minor]}       `)
+            }
+            else {
+                logger.error('         There is no patch available for this version.            ')
+            }
+            logger.error('==================================================================')
+
+            logger.error('To abort, use CTRL + C.')
+            logger.error('Nebula will proceed in 15 seconds..')
+            const target = new Date().getTime() + (15*1000)
+            while(new Date().getTime() <= target) {
+                // Wait
+            }
+
+        }
+
    }

    // Coverage is not 100% but that doesnt matter.