Skip to content

26.2#1391

Open
Jakubk15 wants to merge 22 commits into
masterfrom
ver/26.2
Open

26.2#1391
Jakubk15 wants to merge 22 commits into
masterfrom
ver/26.2

Conversation

@Jakubk15

@Jakubk15 Jakubk15 commented Jul 8, 2026

Copy link
Copy Markdown
Member

Merges all dependency PRs (I think) and #1381 as well as #1382

renovate Bot and others added 19 commits February 26, 2026 20:38
Fixes two findings from the loader audit:

1. Runtime-downloaded dependencies were loaded with no integrity check.
   DependencyDownloader now verifies every artifact against the strongest
   checksum the repository publishes (sha512 > sha256 > sha1) before it is
   written to the local cache and added to the classpath. Fails closed: a
   mismatch or the absence of any published checksum rejects that repository
   so resolution falls back to another source (and errors if none can vouch
   for the artifact). Adds a pure, unit-tested Checksum utility.

3. Jar, checksum, and POM fetches had no connect/read timeouts, so a slow or
   half-open repository could stall plugin startup. All three now set a 15s
   connect / 30s read timeout.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg
Both /enchant execute overloads were gated only by the class-level
@Permission("eternalcore.enchant"), so anyone allowed to enchant their own
item could also modify other players' held items.

Follow the FlyCommand convention: drop the class-level permission and gate
each overload individually — eternalcore.enchant for the self variant and
eternalcore.enchant.other for the "<player>" variant.

Note: servers that previously granted eternalcore.enchant to allow enchanting
others must now also grant eternalcore.enchant.other.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg
@Jakubk15 Jakubk15 requested a review from a team as a code owner July 8, 2026 14:28
@Jakubk15 Jakubk15 added the 🛠️ maintainers task This task will be handled by EternalCodeTeam Maintainers, please do not PR. label Jul 8, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces dependency checksum verification (supporting SHA-512, SHA-256, and SHA-1) during dependency downloads, sets connection and read timeouts for dependency and POM downloads, refactors permission checks in EnchantCommand, and updates several dependencies and plugins. Feedback highlights a potential denial-of-service vulnerability and downgrade attack risk in DependencyDownloader.downloadChecksum due to unbounded stream reading and over-broad exception handling, and suggests utilizing Java's built-in HexFormat in Checksum.java to replace the custom hexadecimal conversion.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🛠️ maintainers task This task will be handled by EternalCodeTeam Maintainers, please do not PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant