fix(purpur): apply log4j mitigations specific to Purpur (#1280)

2026-02-17 07:03:57 +00:00 · 2022-01-16 20:49:15 -06:00
parent f29f098b26
commit e4c575c130
13 changed files with 43 additions and 32 deletions
--- a/.github/workflows/build-multiarch.yml
+++ b/.github/workflows/build-multiarch.yml
@@ -8,6 +8,7 @@ on:
      - java11*
      - java16*
      - java17*
+      - test/**
    tags:
      - "[0-9]+.[0-9]+.[0-9]+"
      - "[0-9]+.[0-9]+.[0-9]+-java8-multiarch"
@@ -56,7 +57,7 @@ jobs:

      - name: Build for test
        uses: docker/build-push-action@v2.7.0
-        if: github.ref_name == 'master'
+        if: github.ref_name == 'master' || startsWith(github.ref_name, 'test/')
        with:
          context: .
          platforms: linux/amd64
@@ -70,7 +71,7 @@ jobs:

      - name: Run tests
        # It is assumed that image variants are merged from master and tested there
-        if: github.ref_name == 'master'
+        if: github.ref_name == 'master' || startsWith(github.ref_name, 'test/')
        run: |
          tests/test.sh

@@ -80,7 +81,7 @@ jobs:
        with:
          context: .
          platforms: linux/amd64,linux/arm/v7,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
          tags: ${{ steps.meta.outputs.tags }}
          # ensure latest base image is used
          pull: true
--- a/scripts/start-deployAirplane
+++ b/scripts/start-deployAirplane
@@ -43,8 +43,7 @@ if [ ! -f "$SERVER" ] || isTrue "${FORCE_REDOWNLOAD:-false}"; then
 fi

 # Normalize on Spigot for later operations
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

-exec ${SCRIPTS:-/}start-spiget "$@"
+exec "${SCRIPTS:-/}start-spiget" "$@"
--- a/scripts/start-deployBukkitSpigot
+++ b/scripts/start-deployBukkitSpigot
@@ -126,7 +126,6 @@ else
 fi

 # Normalize on Spigot for operations below
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

--- a/scripts/start-deployCanyon
+++ b/scripts/start-deployCanyon
@@ -43,7 +43,6 @@ if [ ! -f "$SERVER" ]; then
 fi

 # Normalize on Spigot for later operations
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

--- a/scripts/start-deployPaper
+++ b/scripts/start-deployPaper
@@ -73,7 +73,6 @@ else
 fi

 # Normalize on Spigot for downstream operations
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

--- a/scripts/start-deployPufferfish
+++ b/scripts/start-deployPufferfish
@@ -39,7 +39,6 @@ if [ ! -f "$SERVER" ] || isTrue "${FORCE_REDOWNLOAD:-false}"; then
 fi

 # Normalize on Spigot for later operations
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

--- a/scripts/start-deployPurpur
+++ b/scripts/start-deployPurpur
@@ -30,7 +30,6 @@ if [ ! -f "$SERVER" ] || isTrue "$FORCE_REDOWNLOAD"; then
 fi

 # Normalize on Spigot for later operations
-export TYPE=SPIGOT
 export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true

--- a/scripts/start-finalExec
+++ b/scripts/start-finalExec
@@ -128,6 +128,11 @@ elif isFamily VANILLA && versionLessThan 1.12; then
  patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml
 elif isFamily VANILLA && versionLessThan 1.17; then
  patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml
+# See https://purpurmc.org/docs/Log4j/
+elif isType PURPUR && versionLessThan 1.17; then
+  patchLog4jConfig purpur_log4j2_1141-1165.xml https://purpurmc.org/docs/xml/purpur_log4j2_1141-1165.xml
+elif isType PURPUR && versionLessThan 1.18.1; then
+  patchLog4jConfig purpur_log4j2_117.xml https://purpurmc.org/docs/xml/purpur_log4j2_117.xml
 elif versionLessThan 1.18.1; then
  JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}"
 fi
--- a/scripts/start-setupModconfig
+++ b/scripts/start-setupModconfig
@@ -1,6 +1,7 @@
 #!/bin/bash

-. ${SCRIPTS:-/}start-utils
+# shellcheck source=start-utils
+. "${SCRIPTS:-/}start-utils"

 # If supplied with a URL for a config (simple zip of configurations), download it and unpack
 if [[ "$MODCONFIG" ]]; then
@@ -9,7 +10,7 @@ case "X$MODCONFIG" in
    log "Downloading mod/plugin configs via HTTP"
    log "  from $MODCONFIG ..."
    curl -sSL -o /tmp/modconfig.zip "$MODCONFIG"
-    if [ "$TYPE" = "SPIGOT" ]; then
+    if [ "$FAMILY" = "SPIGOT" ]; then
      mkdir -p /data/plugins
      unzip -o -d /data/plugins /tmp/modconfig.zip
    else
@@ -24,4 +25,4 @@ case "X$MODCONFIG" in
 esac
 fi

-exec ${SCRIPTS:-/}start-setupMounts $@
+exec "${SCRIPTS:-/}start-setupMounts" "$@"
--- a/scripts/start-setupModpack
+++ b/scripts/start-setupModpack
@@ -67,7 +67,7 @@ if [[ "$MODPACK" ]]; then
    exit 1
  fi

-  if [ "$TYPE" = "SPIGOT" ]; then
+  if [ "$FAMILY" = "SPIGOT" ]; then
    mkdir -p /data/plugins
    if ! unzip -o -d /data/plugins /tmp/modpack.zip; then
      log "ERROR: failed to unzip the modpack from ${MODPACK}"
@@ -81,7 +81,7 @@ if [[ "$MODPACK" ]]; then
  rm -f /tmp/modpack.zip

 elif [[ "$MODS" ]]; then
-  if [ "$TYPE" = "SPIGOT" ]; then
+  if [ "$FAMILY" = "SPIGOT" ]; then
    out_dir=/data/plugins
  else
    out_dir=/data/mods
@@ -118,7 +118,7 @@ elif [[ "$MODS_FILE" ]]; then
    exit 2
  fi

-  if [ "$TYPE" = "SPIGOT" ]; then
+  if [ "$FAMILY" = "SPIGOT" ]; then
    out_dir=/data/plugins
  else
    out_dir=/data/mods
--- a/scripts/start-setupMounts
+++ b/scripts/start-setupMounts
@@ -1,14 +1,15 @@
 #!/bin/bash

-. ${SCRIPTS:-/}start-utils
+# shellcheck source=start-utils
+. "${SCRIPTS:-/}start-utils"

-: ${SYNC_SKIP_NEWER_IN_DESTINATION:=${PLUGINS_SYNC_UPDATE:-true}}
-: ${REPLACE_ENV_DURING_SYNC:=true}
-: ${REPLACE_ENV_SUFFIXES:=yml,yaml,txt,cfg,conf,properties,hjson,json,tml,toml}
-: ${REPLACE_ENV_VARIABLE_PREFIX:=${ENV_VARIABLE_PREFIX:-CFG_}}
-: ${REPLACE_ENV_VARIABLES_EXCLUDES:=}
-: ${REPLACE_ENV_VARIABLES_EXCLUDE_PATHS:=}
-: ${DEBUG:=false}
+: "${SYNC_SKIP_NEWER_IN_DESTINATION:=${PLUGINS_SYNC_UPDATE:-true}}"
+: "${REPLACE_ENV_DURING_SYNC:=true}"
+: "${REPLACE_ENV_SUFFIXES:=yml,yaml,txt,cfg,conf,properties,hjson,json,tml,toml}"
+: "${REPLACE_ENV_VARIABLE_PREFIX:=${ENV_VARIABLE_PREFIX:-CFG_}}"
+: "${REPLACE_ENV_VARIABLES_EXCLUDES:=}"
+: "${REPLACE_ENV_VARIABLES_EXCLUDE_PATHS:=}"
+: "${DEBUG:=false}"

 set -e
 isDebugging && set -x
@@ -24,8 +25,8 @@ else
 fi

 if [ -d /plugins ]; then
-  case ${TYPE} in
-    SPIGOT|BUKKIT|PAPER|MAGMA)
+  case ${FAMILY} in
+    SPIGOT|HYBRID)
      mkdir -p /data/plugins
      log "Copying plugins over..."
      mc-image-helper \
@@ -40,7 +41,7 @@ if [ -d /plugins ]; then
 fi

 # If any modules have been provided, copy them over
-: ${COPY_MODS_DEST:="/data/mods"}
+: "${COPY_MODS_DEST:="/data/mods"}"

 if [ -d /mods ]; then
  log "Copying any mods over..."
@@ -53,7 +54,7 @@ if [ -d /mods ]; then
    /mods "${COPY_MODS_DEST}"
 fi

-: ${COPY_CONFIG_DEST:="/data/config"}
+: "${COPY_CONFIG_DEST:="/data/config"}"

 if [ -d /config ]; then
  log "Copying any configs from /config to ${COPY_CONFIG_DEST}"
@@ -66,4 +67,4 @@ if [ -d /config ]; then
    /config "${COPY_CONFIG_DEST}"
 fi

-exec ${SCRIPTS:-/}start-setupServerProperties $@
+exec "${SCRIPTS:-/}start-setupServerProperties" "$@"
--- a/scripts/start-setupWorld
+++ b/scripts/start-setupWorld
@@ -33,7 +33,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] );
    mkdir -p /tmp/world-data
    (cd /tmp/world-data && unzip -o -q "$zipSrc")

-    if [ "$TYPE" = "SPIGOT" ]; then
+    if [ "$FAMILY" = "SPIGOT" ]; then
      baseDirs=$(find /tmp/world-data -name "level.dat" -not -path "*_nether*" -not -path "*_the_end*" -exec dirname "{}" \;)
    else
      baseDirs=$(find /tmp/world-data -name "level.dat" -exec dirname "{}" \;)
@@ -51,7 +51,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] );
      exit 1
    fi
    rsync --remove-source-files --recursive --delete "$baseDir/" "$worldDest"
-    if [ "$TYPE" = "SPIGOT" ]; then
+    if [ "$FAMILY" = "SPIGOT" ]; then
      log "Copying end and nether ..."
      [ -d "${baseDir}_nether" ] && rsync --remove-source-files --recursive --delete "${baseDir}_nether/" "${worldDest}_nether"
      [ -d "${baseDir}_the_end" ] && rsync --remove-source-files --recursive --delete "${baseDir}_the_end/" "${worldDest}_the_end"
@@ -61,7 +61,7 @@ if [[ "$WORLD" ]] && ( isTrue "${FORCE_WORLD_COPY}" || [ ! -d "$worldDest" ] );
    rsync --recursive --delete "${WORLD%/}"/ "$worldDest"
  fi

-  if [ "$TYPE" = "SPIGOT" ]; then
+  if [ "$FAMILY" = "SPIGOT" ]; then
    # Reorganise if a Spigot server
    log "Moving End and Nether maps to Spigot location"
    [ -d "$worldDest/DIM1" ] && mv -f "$worldDest/DIM1" "${worldDest}_the_end"
--- a/scripts/start-utils
+++ b/scripts/start-utils
@@ -178,5 +178,14 @@ function isFamily() {
      return 0
    fi
  done
+
+  return 1
+}
+function isType() {
+  for t in "${@}"; do
+    if [[ $TYPE == "$t" ]]; then
+      return 0
+    fi
+  done
  return 1
 }