fix!: disable proxy detection to avoid vulnerabilities (see full comm…

…it for more info)

If you are using 1.12 or lower you are unaffected as the features causing this issue were not implemented back then.

Thanks to rooter.rs for notifying me of these issues as well as helping code and test a fix for this.

Velocity was unaffected by this issue if you had the plugin on the proxy though due to the likelihood that may not be the case I have decided to disable this for everyone by default

If you are on bungee you will 100% want to update to this version right away.

For a full writeup by roote.rs see https://roote.rs/posts/advancedportals/

build.gradle

@@ -17,6 +17,12 @@ import org.apache.http.impl.client.HttpClients
 import java.util.regex.Matcher
 import java.util.regex.Pattern
 
+import java.nio.file.Files
+import java.nio.file.Paths
+import java.nio.file.StandardCopyOption
+import java.nio.file.StandardOpenOption
+
+
 buildscript {
     repositories {
         maven { url "https://plugins.gradle.org/m2/" }
@@ -298,24 +304,29 @@ task curseforge {
 //        releaseType = 'release'
 }
 
-task copyPlugin {
+/**
+ * Will build then copy it to the minecraft server folder for use with the launch task and dev tools plugin
+ */
+tasks.register('copyPlugin') {
+    dependsOn(build)
     doLast {
         copy {
-            if (System.env.MC_SERVER_LOC == null) {
-                throw new Exception('You must set the server location and jar to use')
-            }
-            println "$buildDir/libs/Advanced-Portals-${version}.jar"
-            println "${System.env.MC_SERVER_LOC}/plugins/Advanced-Portals-${version}.jar"
-            try {
-                delete fileTree("${System.env.MC_SERVER_LOC}/plugins/") {
-                    include "*.jar"
-                }
-            }
-            catch (RuntimeException e) {
-                println e.getLocalizedMessage()
+            def sourceFilePath = Paths.get("$buildDir/libs/Advanced-Portals-${getVersion()}.jar")
+            def destinationFilePath = Paths.get("$buildDir/MinecraftServer/plugins/Advanced-Portals.jar")
+
+            println "Handling file: $destinationFilePath"
+
+            byte[] newContent = Files.readAllBytes(sourceFilePath)
+
+            if (Files.exists(destinationFilePath)) {
+                println "File exists. Overwriting with new binary content."
+
+                Files.write(destinationFilePath, newContent, StandardOpenOption.TRUNCATE_EXISTING)
+            } else {
+                println "File does not exist. Copying from source."
+
+                Files.copy(sourceFilePath, destinationFilePath, StandardCopyOption.REPLACE_EXISTING)
             }
-            from file("$buildDir/libs/Advanced-Portals-${version}.jar")
-            into file("${System.env.MC_SERVER_LOC}/plugins/")
         }
     }
 }

src/main/java/com/sekwah/advancedportals/bukkit/AdvancedPortalsPlugin.java

@@ -25,9 +25,7 @@ public class AdvancedPortalsPlugin extends JavaPlugin {
 
     private Settings settings;
 
-    protected boolean isProxyPluginEnabled = false;
-
-    protected boolean forceRegisterProxyChannels = false;
+    protected boolean registerProxyChannels = false;
     protected boolean disableProxyWarning = false;
 
     private boolean worldEditActive = false;
@@ -51,7 +49,7 @@ public void onEnable() {
         config.saveConfig();
 
         FileConfiguration pluginConfig = config.getConfig();
-        forceRegisterProxyChannels = pluginConfig.getBoolean(ConfigHelper.FORCE_ENABLE_PROXY_SUPPORT, false);
+        registerProxyChannels = pluginConfig.getBoolean(ConfigHelper.ENABLE_PROXY_SUPPORT, false);
         disableProxyWarning = pluginConfig.getBoolean(ConfigHelper.DISABLE_PROXY_WARNING, false);
 
         ConfigAccessor portalConfig = new ConfigAccessor(this, "portals.yml");
@@ -118,15 +116,11 @@ private void setupDataCollector() {
     private void setupBungee() {
         // Enables very basic bungee support if not setup right
         this.getServer().getMessenger().registerOutgoingPluginChannel(this, "BungeeCord");
-        if(forceRegisterProxyChannels || this.checkIfBungee()) {
+        if(registerProxyChannels || this.checkIfBungee()) {
             this.getServer().getMessenger().registerIncomingPluginChannel(this, "BungeeCord", new BungeeListener(this));
 
             this.getServer().getMessenger().registerOutgoingPluginChannel(this, BungeeMessages.CHANNEL_NAME);
             this.getServer().getMessenger().registerIncomingPluginChannel(this, BungeeMessages.CHANNEL_NAME, new PluginMessageReceiver(this));
-            isProxyPluginEnabled = true;
-        }
-        else {
-            isProxyPluginEnabled = false;
         }
     }
 
@@ -135,7 +129,7 @@ public Map<String, String> getPlayerDestiMap() {
     }
 
     public boolean isProxyPluginEnabled() {
-        return isProxyPluginEnabled;
+        return registerProxyChannels;
     }
 
     private boolean checkIfBungee()

src/main/java/com/sekwah/advancedportals/bukkit/config/ConfigHelper.java

@@ -8,6 +8,7 @@ public class ConfigHelper {
 
     public static final String COMMAND_LOGS = "CommandLogs";
 
+    public static final String ENABLE_PROXY_SUPPORT = "EnableProxySupport";
     public static final String FORCE_ENABLE_PROXY_SUPPORT = "ForceEnableProxySupport";
     public static final String DISABLE_PROXY_WARNING = "DisableProxyWarning";
 
@@ -40,6 +41,11 @@ public void update() {
             config.set(ConfigHelper.CONFIG_VERSION, "0.5.13");
             config.set(ConfigHelper.FORCE_ENABLE_PROXY_SUPPORT, false);
             config.set(ConfigHelper.PROXY_TELEPORT_DELAY, 0);
+            update();
+        } else if(configVersion.equals("0.5.13")) {
+            config.set(ConfigHelper.CONFIG_VERSION, "0.5.14");
+            config.set(ConfigHelper.FORCE_ENABLE_PROXY_SUPPORT, null);
+            config.set(ConfigHelper.ENABLE_PROXY_SUPPORT, config.getBoolean(ConfigHelper.FORCE_ENABLE_PROXY_SUPPORT));
         }
     }
 }

src/main/java/com/sekwah/advancedportals/bukkit/destinations/Destination.java

@@ -164,8 +164,6 @@ public static boolean warp(Player player, String dest, AdvancedPortal disp, bool
                     WarpEffects.activateSound(player);
                 }
 
-                System.out.println(PORTAL_MESSAGE_DISPLAY);
-
                 if (PORTAL_MESSAGE_DISPLAY == 1) {
                     player.sendMessage("");
                     player.sendMessage(PluginMessages.customPrefix + PluginMessages.getWarpMessage(dest));

src/main/java/com/sekwah/advancedportals/bukkit/listeners/PluginMessageReceiver.java

@@ -6,21 +6,29 @@
 import com.sekwah.advancedportals.bukkit.config.ConfigAccessor;
 import com.sekwah.advancedportals.bukkit.config.ConfigHelper;
 import com.sekwah.advancedportals.bukkit.destinations.Destination;
+import com.sekwah.advancedportals.bukkit.PluginMessages;
 import com.sekwah.advancedportals.bungee.BungeeMessages;
 import org.bukkit.entity.Player;
 import org.bukkit.plugin.messaging.PluginMessageListener;
+import org.bukkit.Bukkit;
 
 import java.util.UUID;
 
 public class PluginMessageReceiver implements PluginMessageListener {
 
+    public static final String ENABLE_MESSAGE = PluginMessages.customPrefixFail + "§c Warning! To avoid vulnerabilities we have disabled proxy messages by default. To enable full proxy features, please change §eEnableProxySupport §cin the config.yml and ensure you have the plugin installed on the proxy.";
+    public static final String WARNING_MESSAGE = PluginMessages.customPrefixFail + "§c Warning! A proxy message was received but proxy plugin support is not enabled. To enable it, please set §eEnableProxySupport §cto true and install the plugin on the proxy. If you do not remember having the proxy plugin, please ignore this message as it may be someone trying to attack your server.";
     private final AdvancedPortalsPlugin plugin;
     private final int teleportDelay;
+    private boolean isNotifiedAboutEnabling = false;
 
     public PluginMessageReceiver(AdvancedPortalsPlugin plugin) {
         this.plugin = plugin;
         ConfigAccessor config = new ConfigAccessor(plugin, "config.yml");
         teleportDelay = config.getConfig().getInt(ConfigHelper.PROXY_TELEPORT_DELAY, 0);
+        if(!plugin.isProxyPluginEnabled()) {
+            Bukkit.getConsoleSender().sendMessage(ENABLE_MESSAGE);
+        }
     }
 
     @Override
@@ -30,6 +38,19 @@ public void onPluginMessageReceived(String channel, Player player, byte[] messag
             return;
         }
 
+        if(!plugin.isProxyPluginEnabled()) {
+            if(!isNotifiedAboutEnabling) {
+                for (Player p : Bukkit.getOnlinePlayers()) {
+                    if (!p.isOp()) continue;
+                    p.sendMessage(WARNING_MESSAGE);
+                }
+                Bukkit.getConsoleSender().sendMessage(WARNING_MESSAGE);
+
+                isNotifiedAboutEnabling = true;
+            }
+            return;
+        }
+
         ByteArrayDataInput in = ByteStreams.newDataInput(message);
         String subchannel = in.readUTF();
 
@@ -65,23 +86,4 @@ public void teleportPlayerToDesti(Player player, String desti, String bungeeUUID
             );
         }
     }
-
-    /**
-     * Example forward packet.
-     *
-     * Construct like the forge packets.
-     *
-     * out.writeUTF("Forward"); // So BungeeCord knows to forward it
-     out.writeUTF("ALL");
-     out.writeUTF("MyChannel"); // The channel name to check if this your data
-
-     ByteArrayOutputStream msgbytes = new ByteArrayOutputStream();
-     DataOutputStream msgout = new DataOutputStream(msgbytes);
-     msgout.writeUTF("Some kind of data here"); // You can do anything you want with msgout
-     msgout.writeShort(123);
-
-     out.writeShort(msgbytes.toByteArray().length);
-     out.write(msgbytes.toByteArray());
-     *
-     */
 }

src/main/resources/config.yml

@@ -3,7 +3,7 @@
 # To set this file back to its default state just delete it and reload the server or restart it!
 
 # Will update whenever there is a config update from an older version so may not be the latest plugin version
-ConfigVersion: 0.5.13
+ConfigVersion: 0.5.14
 
 # Set to true if you want the normal axes to work normally but the ones given with /portals selector or wand will still work though
 # It can be useful if people with permission want to use an iron axe on a survival server
@@ -76,8 +76,8 @@ CommandLevels: opcb
 # Should the commands being triggered log in the console? (If you have an active server it may cause a bit of spam)
 CommandLogs: true
 
-# If you want to use bungee or velocity, and it is not automatically detected (make sure you have advanced portals on the proxy, especially with velocity)
-ForceEnableProxySupport: false
+# If you want to use bungee or velocity features
+EnableProxySupport: false
 
 # How many seconds after the proxy event fires should the player be teleported (should help with on spawn plugins and such)
 # 0 is disabled and anything higher causes a delay.