CB & Spigot bindings for WorldEdit, adjusted for Fawe
License: GNU Lesser General Public License v3.0
This repository is for adapter classes used by FastAsyncWorldEdit to work with various platforms.
FastAsyncWorldEdit is open source and available under the GNU Lesser General Public License v3.
We happily accept contributions, especially through pull requests on GitHub. Submissions must be licensed under the GNU Lesser General Public License v3.
Please read CONTRIBUTING.md for important guidelines to follow.
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Vulnerable Library - junit-4.10.jarJUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: FastAsyncWorldEdit-Adapters/spigot_v1_15_R2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.10/e4f1766ce7404a08f45d859fb9c226fc9e41a861/junit-4.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.10/e4f1766ce7404a08f45d859fb9c226fc9e41a861/junit-4.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.10/e4f1766ce7404a08f45d859fb9c226fc9e41a861/junit-4.10.jar
Dependency Hierarchy:
Found in HEAD commit: dd359e5ace81720d1f90b03d0aab58f6e4766a23
Found in base branch: main
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-21.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to dependency file: FastAsyncWorldEdit-Adapters/spigot_v1_16_R3/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar
Dependency Hierarchy:
Found in HEAD commit: dd359e5ace81720d1f90b03d0aab58f6e4766a23
Found in base branch: main
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
Step up your Open Source Security Game with WhiteSource here
Paper
1.17.1
Since Version FastAsyncWorldEdit version 1.17-259;e4cbd85 the //regen command always uses the vanilla generator, even if anotherone is set (like PS).
#259FAWE schould use the set Worldgenerator to regenerate terraine.
No response
No response
https://athion.net/ISPaster/paste/view/4150b91edf3a440b9adab51c1200f636
FastAsyncWorldEdit version 1.17-306;e750e01
No response
[18:18:25 INFO]: NotMyFault issued server command: //regen
[18:18:26 INFO]: Using com.fastasyncworldedit.bukkit.adapter.NMSRelighterFactory as relighter factory.
[18:18:26 WARN]: java.lang.IllegalArgumentException: Must use ProtoChunk constructor with the ServerLevel parameter
[18:18:26 WARN]: at net.minecraft.world.level.chunk.ProtoChunk.<init>(ProtoChunk.java:80)
[18:18:26 WARN]: at com.sk89q.worldedit.bukkit.adapter.impl.fawe.regen.Regen_v1_17_R1_2$3.<init>(Regen_v1_17_R1_2.java:300)
[18:18:26 WARN]: at com.sk89q.worldedit.bukkit.adapter.impl.fawe.regen.Regen_v1_17_R1_2.createProtoChunk(Regen_v1_17_R1_2.java:300)
[18:18:26 WARN]: at com.sk89q.worldedit.bukkit.adapter.impl.fawe.regen.Regen_v1_17_R1_2.createProtoChunk(Regen_v1_17_R1_2.java:88)
[18:18:26 WARN]: at com.fastasyncworldedit.bukkit.adapter.Regenerator.generate(Regenerator.java:157)
[18:18:26 WARN]: at com.fastasyncworldedit.bukkit.adapter.Regenerator.regenerate(Regenerator.java:97)
[18:18:26 WARN]: at com.sk89q.worldedit.bukkit.adapter.impl.fawe.FAWE_Spigot_v1_17_R1_2.regenerate(FAWE_Spigot_v1_17_R1_2.java:445)
[18:18:26 WARN]: at com.sk89q.worldedit.bukkit.BukkitWorld.regenerate(BukkitWorld.java:228)
[18:18:26 WARN]: at com.fastasyncworldedit.core.wrappers.WorldWrapper.regenerate(WorldWrapper.java:248)
[18:18:26 WARN]: at com.sk89q.worldedit.command.RegionCommands.regenerate(RegionCommands.java:636)
[18:18:26 WARN]: at com.sk89q.worldedit.command.RegionCommandsRegistration.cmd$_regen(RegionCommandsRegistration.java:908)
[18:18:26 WARN]: at org.enginehub.piston.CommandManager.execute(CommandManager.java:157)
[18:18:26 WARN]: at com.sk89q.worldedit.extension.platform.PlatformCommandManager.lambda$handleCommandOnCurrentThread$16(PlatformCommandManager.java:703)
[18:18:26 WARN]: at com.sk89q.worldedit.extension.platform.PlatformCommandManager.handleCommandTask(PlatformCommandManager.java:719)
[18:18:26 WARN]: at com.sk89q.worldedit.extension.platform.PlatformCommandManager.handleCommandOnCurrentThread(PlatformCommandManager.java:705)
[18:18:26 WARN]: at com.sk89q.worldedit.extension.platform.PlatformCommandManager.lambda$handleCommand$13(PlatformCommandManager.java:675)
[18:18:26 WARN]: at com.sk89q.worldedit.extension.platform.AbstractPlayerActor.lambda$runAction$1(AbstractPlayerActor.java:633)
[18:18:26 WARN]: at com.fastasyncworldedit.core.object.task.AsyncNotifyQueue.lambda$run$0(AsyncNotifyQueue.java:27)
[18:18:26 WARN]: at com.fastasyncworldedit.core.object.task.AsyncNotifyQueue.lambda$call$1(AsyncNotifyQueue.java:44)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinTask$AdaptedCallable.exec(ForkJoinTask.java:1458)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:295)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1016)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1665)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1598)
[18:18:26 WARN]: at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)
Tested on Paper build 110 and Fawe version 61
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
.github/workflows/build.yml
actions/checkout v3gradle/wrapper-validation-action v1@55e685c48d84285a5b0418cd094606e199cca3b6actions/setup-java v3
settings.gradle.kts
build.gradle.kts
com.intellectualsites.bom:bom-1.16.x 1.31
gradle/wrapper/gradle-wrapper.properties
gradle 8.2
Vulnerable Library - gson-2.8.8.jarLibrary home page: https://github.com/google/gson
Path to dependency file: FastAsyncWorldEdit-Adapters/spigot_v1_16_R3/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: dd359e5ace81720d1f90b03d0aab58f6e4766a23
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with WhiteSource here
Named method in the title is paper only, so using using it on spigot leads to a NoSuchMethodError. We should add some kind of workaround here.
Currently you need to relog in order to see biome specific operations, e.g //setbiome. If possible, we should attempt to handle those immediately to not disturb the workflow. It's hard to properly perform biome operations without seeing what you are doing.
See IntellectualSites/fastasyncvoxelsniper#37 for the conversation.
Vulnerable Library - guava-21.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to dependency file: FastAsyncWorldEdit-Adapters/spigot_v1_16_R3/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar
Dependency Hierarchy:
Found in HEAD commit: dd359e5ace81720d1f90b03d0aab58f6e4766a23
Found in base branch: main
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android
Step up your Open Source Security Game with WhiteSource here
Paper
1.17.1
//regen generates very different terrain than original seed, and has no features like grass_block and tree/tree leaves.
//regen working to regenerate selected area per the original seed
See "To Reproduce" section
No response
https://athion.net/ISPaster/paste/view/bb58b130880f415e891944826ab76abb
1.17-134;3e4f1d5
No response
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.