ForceOP AntiMalware #438
Comments
|
I wouldn't say its malware but force op does exist in ItemJoin. It exists for the In addition, the force op code as shown in the link about is a completely closed loop so it doesn't allow anyone with malicious intent to execute any commands while they are op and if any errors occur it automatically removes them from OP in the catch clause. They are only op for a roughly a millisecond, the time it takes to dispatch the command, then they are automatically returned to their original OP state (either non-op) or if they were already OP such as an admin they will remain OP. This code has existed in its current state for about 6 years without any reports of issues, also other plugins are using pretty much the exact same "closed-loop" code and is known to be the safest way to do so. ItemJoin does have several warnings when trying to use the Hopefully that makes sense, essentially if you don't want to have players ever be forced op don't use the If you need any additional clarification or anything else let me know, I am happy to help out where I can! EDIT: I am currently still looking for it but I did ask on the spigot forums a long time ago about any concerns regarding security issues with the closed-loop code as shown in the link above and MD_5 actually commented on it and said that is the safest way to do so. Soon as I find the link I will include it as a reference. |
|
Ah okay so I see why it flagged it as malware now, I checked the source code of the anti-malware plugin since it is open source, if I had it specify specifically player.setOp(false) directly after setting them to player.setOp(true) it wouldn't have flagged it. The reason its flagged is because I use a dynamic variable, I fetch the players OP status prior to setting them to OP then I set them back to that status after they are set to OP. If I didn't do that then some players who were already OP prior to executing the command would end up getting de-opped when they are not supposed to. Essentially there is no way for the malware plugin to know what the dynamic variable is since it can technically be true or false. Considering this new knowledge I think I can add a catch to ignore OP players and manually set to false, so stay tuned for the next snapshot as it will resolve this error since I will use a static variable. I will reply with a snapshot once it is compiled. |
|
Okay so, I have fixed the issue stated above so MCAntiMalware no longer throws false positives, I use static variables now that it can clearly see. I ran MCAntiMalware and ItemJoin now passes with no reports. Link; https://ci.craftationgaming.com/job/ItemJoin/779/ Please see the devlog for the current changes since the last release; https://github.com/RockinChaos/ItemJoin/wiki/DevLog Let me know!~ |
RockinChaos
added
Fixed - Pending Release
|
Officially fixed in the latest release, You can now download it here; https://www.spigotmc.org/resources/itemjoin.12661/download?version=431799 |
RockinChaos
added
Resolved
and removed
Fixed - Pending Release
|
I'm sorry I had some unforeseen events in my life, but you solved the problem. Thank you and I saw that it is compatible with the 1.8.8 |
Good morning,
the AntiMalware has detected a force op command in your plugin which is vulnerable if you don't check by yourself with the spigot staff plugin
plugin : (https://www.spigotmc.org/resources/spigot-anti-malware.64982/)
[AntiMalware] [01:10:08] [INFO]: Using locale en [AntiMalware] [01:10:08] [INFO]: Initializing [AntiMalware] [01:10:08] [INFO]: Any bugs and/or false-positives should be reported either on the GitHub repo, plugin discussion page, or on the discord server [AntiMalware] [01:10:08] [INFO]: Registering checks [AntiMalware] [01:10:08] [INFO]: Finished registering checks [AntiMalware] [01:10:08] [INFO]: Setting up the Auto-Updater [AntiMalware] [01:10:08] [INFO]: Finished initializing [AntiMalware] [01:10:08] [DETECTED]: plugins\ItemJoin.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: me/RockinChaos/itemjoin/item/ItemCommand ; SourceFile/Line ItemCommand.java/351The text was updated successfully, but these errors were encountered: