Skip to content

🔒 Use SafeConstructor for YAML parsing and add fine-grained permissions#248

Merged
Nlkomaru merged 1 commit intomainfrom
fix/234-yaml-safety-and-permissions
Mar 28, 2026
Merged

🔒 Use SafeConstructor for YAML parsing and add fine-grained permissions#248
Nlkomaru merged 1 commit intomainfrom
fix/234-yaml-safety-and-permissions

Conversation

@Nlkomaru
Copy link
Copy Markdown
Member

@Nlkomaru Nlkomaru commented Mar 28, 2026

Summary

  • YAML safety: Replace Yaml() with Yaml(SafeConstructor(LoaderOptions())) in PluginDataUtils to prevent deserialization gadget attacks
  • Permissions: Add per-command permissions (mpm.command.add, mpm.command.remove, mpm.command.install, mpm.command.uninstall, mpm.command.update, mpm.command.list, mpm.command.backup, mpm.command.lock, mpm.command.init, mpm.command.reload)
  • Backward compatibility: Register mpm.command as parent permission containing all children

Test plan

  • ./gradlew check passes
  • Verify mpm.command still grants access to all commands
  • Verify individual permissions work (e.g., mpm.command.list without mpm.command.update)

Closes #234

@Nlkomaru
🔒 Use SafeConstructor for YAML parsing and add fine-grained permissions
8249a01 
- Replace unsafe Yaml() with Yaml(SafeConstructor()) to prevent
  deserialization gadget attacks from malicious plugin JARs
- Add per-command permissions (mpm.command.add, .remove, .install, etc.)
- Register mpm.command as parent permission with all children for
  backward compatibility (operators with mpm.command get all sub-perms)

Closes #234
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 28, 2026

🚀 Preview of mpm

This preview file are availalble for 7 days. (until 2026-04-04)

📖 Documentation Preview https://moripa-ci.nikomaru.dev/mpm/7b0ccde/docs/index.html
📦 Preview Jars Bukkit https://moripa-ci.nikomaru.dev/mpm/7b0ccde/jars/mpm-paper-7b0ccde.jar
🔌 Preview Jars API https://moripa-ci.nikomaru.dev/mpm/7b0ccde/jars/mpm-api-7b0ccde.jar
📖 Dokka API Documentation https://moripa-ci.nikomaru.dev/mpm/7b0ccde/dokka/index.html
🧪 JUnit Report https://moripa-ci.nikomaru.dev/mpm/7b0ccde/junit/index.html
🔍 Detekt Report https://moripa-ci.nikomaru.dev/mpm/7b0ccde/detekt/detekt.html

@Nlkomaru Nlkomaru merged commit 663db22 into main Mar 28, 2026
9 checks passed
@Nlkomaru Nlkomaru deleted the fix/234-yaml-safety-and-permissions branch March 28, 2026 13:37
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8249a019a2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread paper/src/main/kotlin/party/morino/mpm/Mpm.kt
org.bukkit.permissions.PermissionDefault.OP,
children
)
server.pluginManager.addPermission(parentPermission)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Check for existing parent permission before adding it

Calling addPermission() unconditionally here can throw an IllegalArgumentException if mpm.command is already registered (for example after plugin reloads in the same JVM, or when another plugin pre-registers the same node), which will abort onEnable() and keep the plugin disabled. Please guard this with a getPermission("mpm.command") check (or update the existing permission) instead of always adding a new one.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🔒 Unsafe YAML parsing and single permission for all destructive commands

1 participant

@Nlkomaru