oier/patatapack2-distribution
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add security warning.

Browse Source
This commit is contained in:
Daniel Scalzi
2021-12-10 16:11:39 -05:00
parent e97ac9bfad
commit 640f3f0507
5 changed files with 343 additions and 329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

569
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

22
package.json
View File

@@ -28,29 +28,29 @@
"homepage": "https://github.com/dscalzi/Nebula#readme", "homepage": "https://github.com/dscalzi/Nebula#readme",
"devDependencies": { "devDependencies": {
"@types/fs-extra": "^9.0.13", "@types/fs-extra": "^9.0.13",
"@types/luxon": "^2.0.5", "@types/luxon": "^2.0.7",
"@types/minimatch": "^3.0.5", "@types/minimatch": "^3.0.5",
"@types/node": "^16.11.6", "@types/node": "^16.11.12",
"@types/triple-beam": "^1.3.2", "@types/triple-beam": "^1.3.2",
"@types/yargs": "^17.0.3", "@types/yargs": "^17.0.7",
"@typescript-eslint/eslint-plugin": "^5.2.0", "@typescript-eslint/eslint-plugin": "^5.6.0",
"@typescript-eslint/parser": "^5.2.0", "@typescript-eslint/parser": "^5.6.0",
"eslint": "^8.1.0", "eslint": "^8.4.1",
"rimraf": "^3.0.2", "rimraf": "^3.0.2",
"typescript": "^4.4.4" "typescript": "^4.5.3"
}, },
"dependencies": { "dependencies": {
"dotenv": "^10.0.0", "dotenv": "^10.0.0",
"fs-extra": "^10.0.0", "fs-extra": "^10.0.0",
"got": "^11.8.2", "got": "^11.8.3",
"helios-distribution-types": "^1.0.0-rc.2", "helios-distribution-types": "^1.0.0-rc.2",
"luxon": "^2.0.2", "luxon": "^2.2.0",
"minimatch": "^3.0.4", "minimatch": "^3.0.4",
"node-stream-zip": "^1.15.0", "node-stream-zip": "^1.15.0",
"toml": "^3.0.0", "toml": "^3.0.0",
"triple-beam": "^1.3.0", "triple-beam": "^1.3.0",
"ts-json-schema-generator": "^0.96.0", "ts-json-schema-generator": "^0.97.0",
"winston": "^3.3.3", "winston": "^3.3.3",
"yargs": "^17.2.1" "yargs": "^17.3.0"
} }
} }

61
src/resolver/forge/forge.resolver.ts
View File

@@ -5,6 +5,8 @@ import { Artifact } from 'helios-distribution-types'
import { RepoStructure } from '../../structure/repo/Repo.struct' import { RepoStructure } from '../../structure/repo/Repo.struct'
import { BaseResolver } from '../baseresolver' import { BaseResolver } from '../baseresolver'
import { MinecraftVersion } from '../../util/MinecraftVersion' import { MinecraftVersion } from '../../util/MinecraftVersion'
import { VersionUtil } from '../../util/versionutil'
import { LoggerUtil } from '../../util/LoggerUtil'
export abstract class ForgeResolver extends BaseResolver { export abstract class ForgeResolver extends BaseResolver {
@@ -26,6 +28,65 @@ export abstract class ForgeResolver extends BaseResolver {
super(absoluteRoot, relativeRoot, baseUrl) super(absoluteRoot, relativeRoot, baseUrl)
this.repoStructure = new RepoStructure(absoluteRoot, relativeRoot) this.repoStructure = new RepoStructure(absoluteRoot, relativeRoot)
this.artifactVersion = this.inferArtifactVersion() this.artifactVersion = this.inferArtifactVersion()
this.checkSecurity()
}
public checkSecurity(): void {
const major = this.minecraftVersion.getMajor()
const minor = this.minecraftVersion.getMinor()
// https://github.com/apache/logging-log4j2/pull/608
// https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
// https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
// https://twitter.com/gigaherz/status/1469331288368861195
const patchMatrix: { [major: number]: string } = {
18: '38.0.17',
17: '37.1.1',
16: '36.2.20',
15: '31.2.56',
14: '28.2.25',
13: '25.0.222',
12: '14.23.5.2857'
}
const isVUlnerable = major == 1 && (minor <= 18 && minor >= 7)
const hasPatch = major == 1 && minor >= 12
let unsafe
if(isVUlnerable) {
if(hasPatch) {
unsafe = !VersionUtil.versionGte(this.forgeVersion, patchMatrix[minor])
} else {
unsafe = true
}
}
if(unsafe) {
const logger = LoggerUtil.getLogger('ForgeSecurity')
logger.error('==================================================================')
logger.error(' WARNING ')
logger.error(' This version of Forge is vulnerable to a CRITICAL RCE exploit. ')
logger.error(' DO NOT USE THIS VERSION! ')
if(hasPatch) {
logger.error(` A patch is available as of Minecraft Forge v${patchMatrix[minor]} `)
}
else {
logger.error(' There is no patch available for this version. ')
}
logger.error('==================================================================')
logger.error('To abort, use CTRL + C.')
logger.error('Nebula will proceed in 15 seconds..')
const target = new Date().getTime() + (15*1000)
while(new Date().getTime() <= target) {
// Wait
}
}
} }
// Coverage is not 100% but that doesnt matter. // Coverage is not 100% but that doesnt matter.

2
src/structure/spec_model/Server.struct.ts
View File

@@ -100,6 +100,8 @@ export class ServerStructure extends BaseModelStructure<Server> {
const relativeServerRoot = join(this.relativeRoot, file) const relativeServerRoot = join(this.relativeRoot, file)
if ((await lstat(absoluteServerRoot)).isDirectory()) { if ((await lstat(absoluteServerRoot)).isDirectory()) {
this.logger.info(`Beginning processing of ${file}.`)
const match = this.ID_REGEX.exec(file) const match = this.ID_REGEX.exec(file)
if (match == null) { if (match == null) {
this.logger.warn(`Server directory ${file} does not match the defined standard.`) this.logger.warn(`Server directory ${file} does not match the defined standard.`)

18
src/util/versionutil.ts
View File

@@ -67,4 +67,22 @@ export class VersionUtil {
return version return version
} }
public static versionGte(version: string, min: string): boolean {
const left = version.split('.').map(x => Number(x))
const right = min.split('.').map(x => Number(x))
if(left.length != right.length) {
throw new Error('Cannot compare mismatched versions.')
}
for(let i=0; i<left.length; i++) {
if(left[i] < right[i]) {
return false
}
}
return true
}
} }