Skip to content

velocity-feat-mod #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

velocity-feat-mod #24

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
26ba8f4
Refactor zander-proxy to zander-waterfall and create zander-velocity.
benrobson Apr 17, 2024
e0a38bd
Start work on main velocity class.
benrobson Apr 17, 2024
d2b03c1
Separate proxy into velocity and waterfall, start velocity config and…
benrobson Apr 17, 2024
94d403b
Implementation of UserOnSwitch and testing of UserOnSwitch and UserCh…
benrobson Apr 17, 2024
cb9467d
Implementation of UserOnDisconnect and UserOnLogin.
benrobson Apr 17, 2024
4c78c7b
Implementation of Discord command and Command Manager.
benrobson Apr 17, 2024
7c3063e
Implementation of Rules and Website command.
benrobson Apr 17, 2024
7610765
Added Heartbeat and TipChatter for testing.
benrobson Apr 17, 2024
7c85057
Added UserOnProxyPing and UserSocialSpyEvent
JaedanC Aug 17, 2024
858f53e
Register missing events.
benrobson Sep 22, 2024
dc79faf
Add report command.
benrobson Oct 6, 2024
e50c85f
Add report and ping command, fix session events and add announcement …
benrobson Oct 7, 2024
75f3423
Work on spy events and clickable announcements.
benrobson Oct 7, 2024
f64efe6
Work on pom updates
benrobson Mar 24, 2025
66c228d
Updated Lombok and verify compile.
benrobson Mar 25, 2025
b254d4d
Implement draft freezechat and clearchat.
benrobson Mar 25, 2025
168979c
Block ability to report yourself.
benrobson Mar 25, 2025
fd15ee4
Fix command and social spy events.
benrobson Mar 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 30 additions & 28 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
<packaging>pom</packaging>

<modules>
<module>zander-proxy</module>
<!-- <module>zander-waterfall</module> -->
<!-- Decomissioned Waterfall in v1.3.0 -->
<module>zander-velocity</module>
<module>zander-hub</module>
<module>zander-auth</module>
</modules>
Expand All @@ -22,34 +24,34 @@
<build>
<defaultGoal>clean install</defaultGoal>

<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.4</version>
<configuration>
<!-- Place configurations here -->
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- <plugins>-->
<!-- <plugin>-->
<!-- <groupId>org.apache.maven.plugins</groupId>-->
<!-- <artifactId>maven-shade-plugin</artifactId>-->
<!-- <version>3.2.4</version>-->
<!-- <configuration>-->
<!-- &lt;!&ndash; Place configurations here &ndash;&gt;-->
<!-- </configuration>-->
<!-- <executions>-->
<!-- <execution>-->
<!-- <phase>package</phase>-->
<!-- <goals>-->
<!-- <goal>shade</goal>-->
<!-- </goals>-->
<!-- </execution>-->
<!-- </executions>-->
<!-- </plugin>-->

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
<!-- <plugin>-->
<!-- <groupId>org.apache.maven.plugins</groupId>-->
<!-- <artifactId>maven-compiler-plugin</artifactId>-->
<!-- <version>3.8.1</version>-->
<!-- <configuration>-->
<!-- <source>1.8</source>-->
<!-- <target>1.8</target>-->
<!-- </configuration>-->
<!-- </plugin>-->
<!-- </plugins>-->
</build>


Expand Down
8 changes: 3 additions & 5 deletions zander-auth/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,17 @@
<version>1.0</version>

<repositories>
<!-- PaperMC/WaterFall -->
<repository>
<id>papermc</id>
<url>https://papermc.io/repo/repository/maven-public/</url>
<url>https://repo.papermc.io/repository/maven-public/</url>
</repository>
</repositories>

<dependencies>
<!-- PaperMC -->
<dependency>
<groupId>io.papermc.paper</groupId>
<artifactId>paper-api</artifactId>
<version>1.20.2-R0.1-SNAPSHOT</version>
<version>1.21.4-R0.1-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
Expand All @@ -37,7 +35,7 @@
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.22</version>
<version>1.18.36</version>
<scope>compile</scope>
</dependency>
<dependency>
Expand Down
13 changes: 7 additions & 6 deletions zander-hub/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
Expand All @@ -13,20 +12,22 @@
<version>1.0</version>

<repositories>
<!-- PaperMC/WaterFall -->
<repository>
<id>papermc</id>
<url>https://papermc.io/repo/repository/maven-public/</url>
<url>https://repo.papermc.io/repository/maven-public/</url>
</repository>
<repository>
<id>sonatype</id>
<url>https://oss.sonatype.org/content/groups/public</url>
</repository>
</repositories>

<dependencies>
<!-- PaperMC -->
<dependency>
<groupId>io.papermc.paper</groupId>
<artifactId>paper-api</artifactId>
<version>1.20.2-R0.1-SNAPSHOT</version>
<scope>provided</scope>
<version>1.21.4-R0.1-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
</dependencies>

Expand Down
81 changes: 81 additions & 0 deletions zander-velocity/dependency-reduced-pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.modularsoft</groupId>
<artifactId>zander-velocity</artifactId>
<name>zander-velocity</name>
<version>1.2.0</version>
<build>
<resources>
<resource>
<filtering>true</filtering>
<directory>${project.basedir}/src/main/resources</directory>
</resource>
</resources>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.11.0</version>
<configuration>
<release>17</release>
</configuration>
</plugin>
<plugin>
<artifactId>maven-shade-plugin</artifactId>
<version>3.4.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
<configuration>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.MF</exclude>
</excludes>
</filter>
</filters>
<relocations>
<relocation>
<pattern>dev.dejvokep.boostedyaml</pattern>
<shadedPattern>org.modularsoft.zander.velocity.libs</shadedPattern>
</relocation>
</relocations>
</configuration>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>papermc-repo</id>
<url>https://repo.papermc.io/repository/maven-public/</url>
</repository>
<repository>
<id>maven2</id>
<url>https://repo.maven.apache.org/maven2</url>
</repository>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.velocitypowered</groupId>
<artifactId>velocity-api</artifactId>
<version>3.4.0-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
</dependencies>
<properties>
<maven.compiler.target>17</maven.compiler.target>
<java.version>17</java.version>
<maven.compiler.source>17</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
</project>
130 changes: 130 additions & 0 deletions zander-velocity/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.modularsoft</groupId>
<artifactId>zander-velocity</artifactId>
<version>1.2.0</version>
<packaging>jar</packaging>

<name>zander-velocity</name>

<properties>
<java.version>17</java.version>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<build>
<resources>
<resource>
<directory>${project.basedir}/src/main/resources</directory>
<filtering>true</filtering>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.11.0</version>
<configuration>
<release>17</release>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.4.1</version>
<configuration>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.MF</exclude>
</excludes>
</filter>
</filters>
<relocations>
<relocation>
<pattern>dev.dejvokep.boostedyaml</pattern>
<shadedPattern>org.modularsoft.zander.velocity.libs</shadedPattern>
</relocation>
</relocations>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>

<repositories>
<repository>
<id>papermc-repo</id>
<url>https://repo.papermc.io/repository/maven-public/</url>
</repository>
<repository>
<id>maven2</id>
<url>https://repo.maven.apache.org/maven2</url>
</repository>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>

<dependencies>
<dependency>
<groupId>com.velocitypowered</groupId>
<artifactId>velocity-api</artifactId>
<version>3.4.0-SNAPSHOT</version>
<scope>provided</scope>
Comment on lines +87 to +88
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Consider using a stable version of velocity-api.

The current dependency uses a SNAPSHOT version (3.4.0-SNAPSHOT), which may change unexpectedly. For production code, it's generally better to use a stable release version.

🌐 Web query:

What is the latest stable release version of velocity-api?

💡 Result:

The latest stable release version of the velocity-api is 3.1.9. This version is listed in the Maven Repository as part of the 3.1.x release line[18]. While a newer snapshot version (3.4.0-SNAPSHOT) exists, it is not considered stable and remains under active development[8][16].

For context, the Apache Velocity Engine (a separate project) has its latest stable release at version 2.4.1[1][3][7][9]. However, the velocity-api specifically, maintained under the com.velocitypowered group, is distinct from the Apache project and follows its own release cycle.

Citations:

Action: Update velocity-api dependency version to a stable release

Although the current SNAPSHOT version (3.4.0-SNAPSHOT) may offer the latest features, it is inherently unstable and subject to unexpected changes. The latest stable release of velocity-api is 3.1.9, which is better suited for production use.

  • File: zander-velocity/pom.xml
  • Lines: 87-88
  • Current Snippet: 
                <version>3.4.0-SNAPSHOT</version>
            <scope>provided</scope>
  • Suggested Change: Replace <version>3.4.0-SNAPSHOT</version> with <version>3.1.9</version> to ensure stability in production.

</dependency>
<dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
<version>1.1.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.36</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>io.github.ModularEnigma</groupId>
<artifactId>Requests</artifactId>
<version>1.0.3</version>
</dependency>
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
<version>2.9.0</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.9</version>
<scope>compile</scope>
Comment on lines +113 to +116
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🛠️ Refactor suggestion

🧩 Analysis chain

Update GSON dependency for security.

The GSON version 2.8.9 may have security vulnerabilities. Consider updating to a newer version.

🌐 Web query:

What is the latest version of Google GSON? Are there any security vulnerabilities in GSON 2.8.9?

💡 Result:

The latest version of Google Gson as of March 2025 is 2.12.1, released in January 2025[1][14]. This version includes minor improvements like OSGi dependency adjustments and Java 21 compatibility[1].

Regarding security in version 2.8.9:

  • CVE-2022-25647 (Deserialization Vulnerability):
    • Affects all versions before 2.8.9[2][5][14]
    • Fixed in 2.8.9 through stricter deserialization checks[5][14]
    • CVSS Score: 7.5 High (NIST 3.1)[5][6]
    • Impact: Could allow denial-of-service attacks or arbitrary code execution via malicious JSON payloads[2][6]
Key Security Aspect Details
Fixed Version 2.8.9+
Vulnerability Class Untrusted Data Deserialization
Affected Components JsonReader and internal serialization mechanisms

While 2.8.9 resolves this specific CVE, subsequent versions like 2.9.0+ introduced additional security enhancements:

  • Stricter default adapters[7]
  • Improved ProGuard/R8 rules[1]
  • Java 7 support dropped (requiring Java 8+)[7]

Major users like IBM, Atlassian, and Adobe recommend upgrading beyond 2.8.9 to benefit from ongoing security improvements[6][8][9][11]. The current 2.12.1 version maintains compatibility with modern Java environments while incorporating all previous security patches[1][14].

Citations:

Action: Upgrade the Google GSON dependency to version 2.12.1 for additional security enhancements.

The current configuration in zander-velocity/pom.xml (lines 113-116) uses GSON 2.8.9, which indeed fixed CVE-2022-25647 through stricter deserialization checks. However, version 2.12.1—released in January 2025—offers further improvements such as stricter default adapters, enhanced ProGuard/R8 rules, and compatibility with modern Java environments (including Java 21). To align with best practices and ongoing security recommendations, please update the dependency accordingly.

</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.12</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>dev.dejvokep</groupId>
<artifactId>boosted-yaml</artifactId>
<version>1.3.1</version>
</dependency>
</dependencies>
</project>
Loading