🛡️ Sentinel: [MEDIUM] Fix database resource leaks

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2023-10-27 - Fix unclosed PreparedStatement leaks in AtTackCraft-Core
+**Vulnerability:** Found unclosed `PreparedStatement` and `ResultSet` variables in `WhiteList.java` and `PlayerListLogger.java` which are instantiated repeatedly, especially on a timer (`PlayerListLogger.run()`).
+**Learning:** Legacy codebase or hastily written Bungee plugins might neglect proper lifecycle management of JDBC resources, relying on connection drops or garbage collection. This is a severe DoS risk (CWE-400 Resource Exhaustion) leading to "Too many open files" or MySQL connection starvation.
+**Prevention:** Always use `try-with-resources` introduced in Java 7 for any `AutoCloseable` SQL objects.

modules/AtTackCraft-Core/src/main/java/cc/mcac/attackcraftcore/Bungee/PlayerListLogger.java

@@ -18,18 +18,19 @@ public void run() {
         plugin.getProxy().getScheduler().schedule(plugin, () -> {
             try {
                 Connection connection = plugin.getSqlManager().getConnection();
-                PreparedStatement ps = connection.prepareStatement(
+                try (PreparedStatement ps = connection.prepareStatement(
                         "INSERT INTO `server_player_list` (server_id, player_number, player_list) VALUES (?,?,?) " +
                                 "ON DUPLICATE KEY UPDATE player_number = ?, player_list = ?"
-                );
-                int playerNumber = plugin.getProxy().getOnlineCount();
-                String playerList = plugin.getProxy().getPlayers().toString();
-                ps.setString(1, plugin.getConfiguration().getString("server_id"));
-                ps.setInt(2, playerNumber);
-                ps.setString(3, playerList);
-                ps.setInt(4, playerNumber);
-                ps.setString(5, playerList);
-                ps.executeUpdate();
+                )) {
+                    int playerNumber = plugin.getProxy().getOnlineCount();
+                    String playerList = plugin.getProxy().getPlayers().toString();
+                    ps.setString(1, plugin.getConfiguration().getString("server_id"));
+                    ps.setInt(2, playerNumber);
+                    ps.setString(3, playerList);
+                    ps.setInt(4, playerNumber);
+                    ps.setString(5, playerList);
+                    ps.executeUpdate();
+                }
             } catch (SQLException e) {
                 e.printStackTrace();
             }

modules/AtTackCraft-Core/src/main/java/cc/mcac/attackcraftcore/Bungee/WhiteList/WhiteList.java

@@ -41,11 +41,10 @@ public void onPlayerJoin(PreLoginEvent e) {
 
     public void on() {
         Connection connection = plugin.getSqlManager().getConnection();
-        try {
-            PreparedStatement ps = connection.prepareStatement(
-                    "SELECT * FROM `whitelist`"
-            );
-            ResultSet rs = ps.executeQuery();
+        try (PreparedStatement ps = connection.prepareStatement(
+                "SELECT * FROM `whitelist`"
+        );
+             ResultSet rs = ps.executeQuery()) {
             whiteList.clear();
             while (rs.next()) {
                 whiteList.add(rs.getString("player_name"));
@@ -62,10 +61,9 @@ public void off() {
     public void addPlayer(String playerName) {
         whiteList.add(playerName);
         Connection connection = plugin.getSqlManager().getConnection();
-        try {
-            PreparedStatement ps = connection.prepareStatement(
-                    "INSERT INTO `whitelist` (`player_name`) VALUES (?) ON DUPLICATE KEY UPDATE `player_name` = ?"
-            );
+        try (PreparedStatement ps = connection.prepareStatement(
+                "INSERT INTO `whitelist` (`player_name`) VALUES (?) ON DUPLICATE KEY UPDATE `player_name` = ?"
+        )) {
             ps.setString(1, playerName);
             ps.setString(2, playerName);
             ps.executeUpdate();