AuthMe-Team / AuthMeReloaded / 2535
72%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 378
Run time 35s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
2535

push

jenkins

GitHub 
[Security] Disable BungeeCord hook if the proxy is disable in Spigot (#2572 from @Ghost-chu)

If Spigot is running without a proxy, an incoming BungeeCord can also originate from a malicious player. This happens, because there is no proxy preventing this message. There appears to be no method to check if this message comes from a trusted source from the Bukkit side.

This implementation checks if BungeeCord support is enabled in Spigot. This means that we notify them that we actually expect a proxy enabled configuration for this feature. This solves the issue, where the hook was enabled, because the server was earlier configured with proxies in mind, but they are no longer used. 

**Nevertheless** this doesn't fully solve the issue, because in misconfigured setups, where the Spigot server is publicly accessible, it's still possible. However this is always a recommended configuration step.

Alternative solutions were rejected like:
1) Check on incoming BungeeCord message, if we received BungeeCord forwarding data during login
This data can be fully faked by the player too.
2) Check the connection properties if the appearing proxy is local.
While this is possible, there instance that the proxy is not on the same network although it's legitimate. Although it could be possible to introduce this with a configuration option, but it would increase the complexity for users.

Related #2559
Related #2571

7594 of 10558 relevant lines covered (71.93%)

0.72 hits per line

Jobs
ID Job ID Ran Files Coverage
1 2535.1 0
71.93
Source Files on build 2535
Detailed source file information is not available for this build.