From 135a557adfb1a65bebf7ad917a7f7aae33e91451 Mon Sep 17 00:00:00 2001 From: Geoff Bourne Date: Sat, 15 Jan 2022 15:48:47 -0600 Subject: [PATCH 1/3] fix(purpur): apply log4j mitigations specific to Purpur Fixes #1260 --- .github/workflows/build-multiarch.yml | 2 +- scripts/start-deployAirplane | 3 +-- scripts/start-deployBukkitSpigot | 1 - scripts/start-deployCanyon | 1 - scripts/start-deployPaper | 1 - scripts/start-deployPufferfish | 1 - scripts/start-deployPurpur | 1 - scripts/start-finalExec | 5 +++++ scripts/start-setupModconfig | 7 ++++--- scripts/start-setupModpack | 6 +++--- scripts/start-setupMounts | 27 ++++++++++++++------------- scripts/start-setupWorld | 6 +++--- scripts/start-utils | 9 +++++++++ 13 files changed, 40 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build-multiarch.yml b/.github/workflows/build-multiarch.yml index d421715fb7c..3435bf529a3 100644 --- a/.github/workflows/build-multiarch.yml +++ b/.github/workflows/build-multiarch.yml @@ -8,6 +8,7 @@ on: - java11* - java16* - java17* + - test/** tags: - "[0-9]+.[0-9]+.[0-9]+" - "[0-9]+.[0-9]+.[0-9]+-java8-multiarch" @@ -80,7 +81,6 @@ jobs: with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} # ensure latest base image is used pull: true diff --git a/scripts/start-deployAirplane b/scripts/start-deployAirplane index 601aeb67231..cb36aa8179b 100755 --- a/scripts/start-deployAirplane +++ b/scripts/start-deployAirplane @@ -43,8 +43,7 @@ if [ ! -f "$SERVER" ] || isTrue "${FORCE_REDOWNLOAD:-false}"; then fi # Normalize on Spigot for later operations -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true -exec ${SCRIPTS:-/}start-spiget "$@" +exec "${SCRIPTS:-/}start-spiget" "$@" diff --git a/scripts/start-deployBukkitSpigot b/scripts/start-deployBukkitSpigot index 120da778165..a185e98f513 100755 --- a/scripts/start-deployBukkitSpigot +++ b/scripts/start-deployBukkitSpigot @@ -126,7 +126,6 @@ else fi # Normalize on Spigot for operations below -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true diff --git a/scripts/start-deployCanyon b/scripts/start-deployCanyon index 0aa17331e2d..dab759467f7 100755 --- a/scripts/start-deployCanyon +++ b/scripts/start-deployCanyon @@ -43,7 +43,6 @@ if [ ! -f "$SERVER" ]; then fi # Normalize on Spigot for later operations -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true diff --git a/scripts/start-deployPaper b/scripts/start-deployPaper index 69406b3cbf0..fe606dcc4ce 100755 --- a/scripts/start-deployPaper +++ b/scripts/start-deployPaper @@ -73,7 +73,6 @@ else fi # Normalize on Spigot for downstream operations -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true diff --git a/scripts/start-deployPufferfish b/scripts/start-deployPufferfish index 02666114332..0b0ea52c26e 100755 --- a/scripts/start-deployPufferfish +++ b/scripts/start-deployPufferfish @@ -39,7 +39,6 @@ if [ ! -f "$SERVER" ] || isTrue "${FORCE_REDOWNLOAD:-false}"; then fi # Normalize on Spigot for later operations -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true diff --git a/scripts/start-deployPurpur b/scripts/start-deployPurpur index de3234b3adf..156920b8647 100755 --- a/scripts/start-deployPurpur +++ b/scripts/start-deployPurpur @@ -30,7 +30,6 @@ if [ ! -f "$SERVER" ] || isTrue "$FORCE_REDOWNLOAD"; then fi # Normalize on Spigot for later operations -export TYPE=SPIGOT export FAMILY=SPIGOT export SKIP_LOG4J_CONFIG=true diff --git a/scripts/start-finalExec b/scripts/start-finalExec index d7325a04702..e5178446891 100755 --- a/scripts/start-finalExec +++ b/scripts/start-finalExec @@ -128,6 +128,11 @@ elif isFamily VANILLA && versionLessThan 1.12; then patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml elif isFamily VANILLA && versionLessThan 1.17; then patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml +# See https://purpurmc.org/docs/Log4j/ +elif isType PURPUR && versionLessThan 1.17; then + patchLog4jConfig purpur_log4j2_1141-1165.xml https://purpurmc.org/docs/xml/purpur_log4j2_1141-1165.xml +elif isType PURPUR && versionLessThan 1.18.1; then + patchLog4jConfig purpur_log4j2_117.xml https://purpurmc.org/docs/xml/purpur_log4j2_117.xml elif versionLessThan 1.18.1; then JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}" fi diff --git a/scripts/start-setupModconfig b/scripts/start-setupModconfig index 82d4c1b5fca..aeab818daae 100755 --- a/scripts/start-setupModconfig +++ b/scripts/start-setupModconfig @@ -1,6 +1,7 @@ #!/bin/bash -. ${SCRIPTS:-/}start-utils +# shellcheck source=start-utils +. "${SCRIPTS:-/}start-utils" # If supplied with a URL for a config (simple zip of configurations), download it and unpack if [[ "$MODCONFIG" ]]; then @@ -9,7 +10,7 @@ case "X$MODCONFIG" in log "Downloading mod/plugin configs via HTTP" log " from $MODCONFIG ..." curl -sSL -o /tmp/modconfig.zip "$MODCONFIG" - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then mkdir -p /data/plugins unzip -o -d /data/plugins /tmp/modconfig.zip else @@ -24,4 +25,4 @@ case "X$MODCONFIG" in esac fi -exec ${SCRIPTS:-/}start-setupMounts $@ +exec "${SCRIPTS:-/}start-setupMounts" "$@" diff --git a/scripts/start-setupModpack b/scripts/start-setupModpack index 37bbaf784d6..e6a920c1650 100755 --- a/scripts/start-setupModpack +++ b/scripts/start-setupModpack @@ -67,7 +67,7 @@ if [[ "$MODPACK" ]]; then exit 1 fi - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then mkdir -p /data/plugins if ! unzip -o -d /data/plugins /tmp/modpack.zip; then log "ERROR: failed to unzip the modpack from ${MODPACK}" @@ -81,7 +81,7 @@ if [[ "$MODPACK" ]]; then rm -f /tmp/modpack.zip elif [[ "$MODS" ]]; then - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then out_dir=/data/plugins else out_dir=/data/mods @@ -118,7 +118,7 @@ elif [[ "$MODS_FILE" ]]; then exit 2 fi - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then out_dir=/data/plugins else out_dir=/data/mods diff --git a/scripts/start-setupMounts b/scripts/start-setupMounts index b2037a6ac31..6650a38bbb7 100755 --- a/scripts/start-setupMounts +++ b/scripts/start-setupMounts @@ -1,14 +1,15 @@ #!/bin/bash -. ${SCRIPTS:-/}start-utils +# shellcheck source=start-utils +. "${SCRIPTS:-/}start-utils" -: ${SYNC_SKIP_NEWER_IN_DESTINATION:=${PLUGINS_SYNC_UPDATE:-true}} -: ${REPLACE_ENV_DURING_SYNC:=true} -: ${REPLACE_ENV_SUFFIXES:=yml,yaml,txt,cfg,conf,properties,hjson,json,tml,toml} -: ${REPLACE_ENV_VARIABLE_PREFIX:=${ENV_VARIABLE_PREFIX:-CFG_}} -: ${REPLACE_ENV_VARIABLES_EXCLUDES:=} -: ${REPLACE_ENV_VARIABLES_EXCLUDE_PATHS:=} -: ${DEBUG:=false} +: "${SYNC_SKIP_NEWER_IN_DESTINATION:=${PLUGINS_SYNC_UPDATE:-true}}" +: "${REPLACE_ENV_DURING_SYNC:=true}" +: "${REPLACE_ENV_SUFFIXES:=yml,yaml,txt,cfg,conf,properties,hjson,json,tml,toml}" +: "${REPLACE_ENV_VARIABLE_PREFIX:=${ENV_VARIABLE_PREFIX:-CFG_}}" +: "${REPLACE_ENV_VARIABLES_EXCLUDES:=}" +: "${REPLACE_ENV_VARIABLES_EXCLUDE_PATHS:=}" +: "${DEBUG:=false}" set -e isDebugging && set -x @@ -24,8 +25,8 @@ else fi if [ -d /plugins ]; then - case ${TYPE} in - SPIGOT|BUKKIT|PAPER|MAGMA) + case ${FAMILY} in + SPIGOT|HYBRID) mkdir -p /data/plugins log "Copying plugins over..." mc-image-helper \ @@ -40,7 +41,7 @@ if [ -d /plugins ]; then fi # If any modules have been provided, copy them over -: ${COPY_MODS_DEST:="/data/mods"} +: "${COPY_MODS_DEST:="/data/mods"}" if [ -d /mods ]; then log "Copying any mods over..." @@ -53,7 +54,7 @@ if [ -d /mods ]; then /mods "${COPY_MODS_DEST}" fi -: ${COPY_CONFIG_DEST:="/data/config"} +: "${COPY_CONFIG_DEST:="/data/config"}" if [ -d /config ]; then log "Copying any configs from /config to ${COPY_CONFIG_DEST}" @@ -66,4 +67,4 @@ if [ -d /config ]; then /config "${COPY_CONFIG_DEST}" fi -exec ${SCRIPTS:-/}start-setupServerProperties $@ +exec "${SCRIPTS:-/}start-setupServerProperties" "$@" diff --git a/scripts/start-setupWorld b/scripts/start-setupWorld index c4dad94f6bf..db14635fe07 100755 --- a/scripts/start-setupWorld +++ b/scripts/start-setupWorld @@ -33,7 +33,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] ); mkdir -p /tmp/world-data (cd /tmp/world-data && unzip -o -q "$zipSrc") - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then baseDirs=$(find /tmp/world-data -name "level.dat" -not -path "*_nether*" -not -path "*_the_end*" -exec dirname "{}" \;) else baseDirs=$(find /tmp/world-data -name "level.dat" -exec dirname "{}" \;) @@ -51,7 +51,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] ); exit 1 fi rsync --remove-source-files --recursive --delete "$baseDir/" "$worldDest" - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then log "Copying end and nether ..." [ -d "${baseDir}_nether" ] && rsync --remove-source-files --recursive --delete "${baseDir}_nether/" "${worldDest}_nether" [ -d "${baseDir}_the_end" ] && rsync --remove-source-files --recursive --delete "${baseDir}_the_end/" "${worldDest}_the_end" @@ -61,7 +61,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] ); rsync --recursive --delete "${WORLD%/}"/ "$worldDest" fi - if [ "$TYPE" = "SPIGOT" ]; then + if [ "$FAMILY" = "SPIGOT" ]; then # Reorganise if a Spigot server log "Moving End and Nether maps to Spigot location" [ -d "$worldDest/DIM1" ] && mv -f "$worldDest/DIM1" "${worldDest}_the_end" diff --git a/scripts/start-utils b/scripts/start-utils index 8c77cbca8c1..0861e24ebc3 100755 --- a/scripts/start-utils +++ b/scripts/start-utils @@ -178,5 +178,14 @@ function isFamily() { return 0 fi done + + return 1 +} +function isType() { + for t in "${@}"; do + if [[ $TYPE == "$t" ]]; then + return 0 + fi + done return 1 } \ No newline at end of file From e31b9d8a2374e2b7628fcce4d533388461b19a8f Mon Sep 17 00:00:00 2001 From: Geoff Bourne Date: Sat, 15 Jan 2022 15:52:28 -0600 Subject: [PATCH 2/3] Test the test branches --- .github/workflows/build-multiarch.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-multiarch.yml b/.github/workflows/build-multiarch.yml index 3435bf529a3..b142f5a61ca 100644 --- a/.github/workflows/build-multiarch.yml +++ b/.github/workflows/build-multiarch.yml @@ -57,7 +57,7 @@ jobs: - name: Build for test uses: docker/build-push-action@v2.7.0 - if: github.ref_name == 'master' + if: github.ref_name == 'master' || startsWith(github.ref_name, 'test/') with: context: . platforms: linux/amd64 @@ -71,7 +71,7 @@ jobs: - name: Run tests # It is assumed that image variants are merged from master and tested there - if: github.ref_name == 'master' + if: github.ref_name == 'master' || startsWith(github.ref_name, 'test/') run: | tests/test.sh From 40e5e1ad1ff714fa366e16d800b3cedb36fea165 Mon Sep 17 00:00:00 2001 From: Geoff Bourne Date: Sat, 15 Jan 2022 15:54:26 -0600 Subject: [PATCH 3/3] Put back the push attribute --- .github/workflows/build-multiarch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-multiarch.yml b/.github/workflows/build-multiarch.yml index b142f5a61ca..206fcee41b1 100644 --- a/.github/workflows/build-multiarch.yml +++ b/.github/workflows/build-multiarch.yml @@ -81,6 +81,7 @@ jobs: with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64 + push: true tags: ${{ steps.meta.outputs.tags }} # ensure latest base image is used pull: true