Large Dependency Bump + Velocity Exploit Fix

Author: ssquadteam

.DS_Store

@@ -20,8 +20,8 @@ auto-service-annotations = "com.google.auto.service:auto-service-annotations:1.1
 brigadier = "com.velocitypowered:velocity-brigadier:1.0.0-SNAPSHOT"
 bstats = "org.bstats:bstats-base:3.1.0"
 caffeine = "com.github.ben-manes.caffeine:caffeine:3.2.0"
-checker-qual = "org.checkerframework:checker-qual:3.49.0"
-checkstyle = "com.puppycrawl.tools:checkstyle:10.21.3"
+checker-qual = "org.checkerframework:checker-qual:3.49.1"
+checkstyle = "com.puppycrawl.tools:checkstyle:10.21.4"
 completablefutures = "com.spotify:completable-futures:0.3.6"
 configurate3-hocon = { module = "org.spongepowered:configurate-hocon", version.ref = "configurate3" }
 configurate3-yaml = { module = "org.spongepowered:configurate-yaml", version.ref = "configurate3" }
@@ -48,7 +48,7 @@ log4j-core = { module = "org.apache.logging.log4j:log4j-core", version.ref = "lo
 log4j-slf4j-impl = { module = "org.apache.logging.log4j:log4j-slf4j2-impl", version.ref = "log4j" }
 log4j-iostreams = { module = "org.apache.logging.log4j:log4j-iostreams", version.ref = "log4j" }
 log4j-jul = { module = "org.apache.logging.log4j:log4j-jul", version.ref = "log4j" }
-mockito = "org.mockito:mockito-core:5.15.2"
+mockito = "org.mockito:mockito-core:5.16.0"
 netty-codec = { module = "io.netty:netty-codec", version.ref = "netty" }
 netty-codec-haproxy = { module = "io.netty:netty-codec-haproxy", version.ref = "netty" }
 netty-codec-http = { module = "io.netty:netty-codec-http", version.ref = "netty" }
@@ -58,7 +58,7 @@ netty-transport-native-kqueue = { module = "io.netty:netty-transport-native-kque
 nightconfig = "com.electronwill.night-config:toml:3.8.1"
 slf4j = "org.slf4j:slf4j-api:2.0.17"
 snakeyaml = "org.yaml:snakeyaml:1.33"
-spotbugs-annotations = "com.github.spotbugs:spotbugs-annotations:4.9.1"
+spotbugs-annotations = "com.github.spotbugs:spotbugs-annotations:4.9.2"
 terminalconsoleappender = "net.minecrell:terminalconsoleappender:1.3.0"
 
 [bundles]

gradle/libs.versions.toml

@@ -507,15 +507,15 @@ public int run(final CommandContext<CommandSource> context) {
       if (version.getName().equals("Velocity")) {
         final TextComponent embellishment = Component.text()
             .append(Component.text()
-                .content("discord.gg/beer")
-                .color(NamedTextColor.GOLD)
+                .content("discord.gg/themegahivemc")
+                .color(NamedTextColor.RED)
                 .clickEvent(
-                    ClickEvent.openUrl("https://discord.gg/themegahive"))
+                    ClickEvent.openUrl("https://discord.gg/themegahivemc"))
                 .build())
             .append(Component.text(" - "))
             .append(Component.text()
                 .content("GitHub")
-                .color(NamedTextColor.GOLD)
+                .color(NamedTextColor.RED)
                 .decoration(TextDecoration.UNDERLINED, true)
                 .clickEvent(ClickEvent.openUrl(
                     "https://github.com/ssquadteam/ApiaryProxy"))

proxy/src/main/java/com/velocitypowered/proxy/command/builtin/VelocityCommand.java

@@ -96,6 +96,8 @@ public final class VelocityConfiguration implements ProxyConfig {
   private final Query query;
   private final Metrics metrics;
   @Expose
+  private int maxCommandsPerSecond = 10;
+  @Expose
   private final Redis redis;
   @Expose
   private final Queue queue;
@@ -151,10 +153,11 @@ private VelocityConfiguration(final String bind, final String motd, final List<S
                                 final boolean enablePlayerAddressLogging, final Servers servers, final ForcedHosts forcedHosts,
                                 final Commands commands, final Advanced advanced, final Query query, final Metrics metrics,
                                 final boolean forceKeyAuthentication, final boolean logPlayerConnections, final boolean logPlayerDisconnections,
-                                final boolean logOfflineConnections, final boolean disableForge, final boolean enforceChatSigning,
-                                final boolean translateHeaderFooter, final boolean logMinimumVersion, final String minimumVersion, final Redis redis,
-                                final Queue queue, final Map<String, List<String>> slashServers, final List<ServerLink> serverLinks,
-                                final List<ProxyAddress> proxyAddresses, final String dynamicProxyFilter, final Map<String, Integer> playerCaps) {
+                                final boolean logOfflineConnections, final int maxCommandsPerSecond, final boolean disableForge,
+                                final boolean enforceChatSigning, final boolean translateHeaderFooter, final boolean logMinimumVersion,
+                                final String minimumVersion, final Redis redis, final Queue queue, final Map<String, List<String>> slashServers,
+                                final List<ServerLink> serverLinks, final List<ProxyAddress> proxyAddresses, final String dynamicProxyFilter,
+                                final Map<String, Integer> playerCaps) {
     this.bind = bind;
     this.motd = motd;
     this.motdHover = motdHover;
@@ -176,6 +179,7 @@ private VelocityConfiguration(final String bind, final String motd, final List<S
     this.forceKeyAuthentication = forceKeyAuthentication;
     this.logPlayerConnections = logPlayerConnections;
     this.logPlayerDisconnections = logPlayerDisconnections;
+    this.maxCommandsPerSecond = maxCommandsPerSecond;
     this.logOfflineConnections = logOfflineConnections;
     this.disableForge = disableForge;
     this.enforceChatSigning = enforceChatSigning;
@@ -437,6 +441,10 @@ public Map<String, List<String>> getForcedHosts() {
     return forcedHosts.getForcedHosts();
   }
 
+  public long getMaxCommandsPerSecond() {
+    return maxCommandsPerSecond;
+  }
+
   @Override
   public int getCompressionThreshold() {
     return advanced.getCompressionThreshold();
@@ -596,6 +604,10 @@ public boolean isForceKeyAuthentication() {
     return forceKeyAuthentication;
   }
 
+  public boolean isEnableReusePort() {
+    return advanced.isEnableReusePort();
+  }
+
   public @NotNull Redis getRedis() {
     return redis;
   }
@@ -751,6 +763,8 @@ public static VelocityConfiguration read(final Path path) throws IOException {
       final boolean kickExisting = config.getOrElse("kick-existing-players", false);
       final boolean enablePlayerAddressLogging = config.getOrElse(
               "enable-player-address-logging", true);
+      final int maxCommandsPerSecond = config.getOrElse(
+              "max-commands-per-second", 10);
       final boolean logPlayerConnections = config.getOrElse(
               "log-player-connections", true);
       final boolean logPlayerDisconnections = config.getOrElse(
@@ -850,6 +864,7 @@ public static VelocityConfiguration read(final Path path) throws IOException {
               logPlayerConnections,
               logPlayerDisconnections,
               logOfflineConnections,
+              maxCommandsPerSecond,
               disableForge,
               enforceChatSigning,
               translateHeaderFooter,
@@ -1222,6 +1237,8 @@ private static final class Advanced {
     @Expose
     private boolean acceptTransfers = false;
     @Expose
+    private boolean enableReusePort = false;
+    @Expose
     private boolean allowIllegalCharactersInChat = false;
     @Expose
     private String serverBrand = "{backend-brand} ({proxy-brand})";
@@ -1259,6 +1276,7 @@ private Advanced(final CommentedConfig config) {
         this.announceProxyCommands = config.getOrElse("announce-proxy-commands", true);
         this.logCommandExecutions = config.getOrElse("log-command-executions", false);
         this.acceptTransfers = config.getOrElse("accepts-transfers", false);
+        this.enableReusePort = config.getOrElse("enable-reuse-port", false);
         this.allowIllegalCharactersInChat = config.getOrElse("allow-illegal-characters-in-chat", false);
         this.serverBrand = config.getOrElse("server-brand", "{backend-brand} ({proxy-brand})");
         this.fallbackVersionPing = config.getOrElse("fallback-version-ping", "{proxy-brand} {protocol-min}-{protocol-max}");
@@ -1330,6 +1348,10 @@ public boolean isAcceptTransfers() {
       return this.acceptTransfers;
     }
 
+    public boolean isEnableReusePort() {
+      return enableReusePort;
+    }
+
     public boolean isAllowIllegalCharactersInChat() {
       return allowIllegalCharactersInChat;
     }
@@ -1370,6 +1392,7 @@ public String toString() {
           + ", announceProxyCommands=" + announceProxyCommands
           + ", logCommandExecutions=" + logCommandExecutions
           + ", acceptTransfers=" + acceptTransfers
+          + ", enableReusePort=" + enableReusePort
           + ", allowIllegalCharactersInChat=" + allowIllegalCharactersInChat
           + '}';
     }

proxy/src/main/java/com/velocitypowered/proxy/config/VelocityConfiguration.java

@@ -18,6 +18,8 @@
 package com.velocitypowered.proxy.network;
 
 import com.google.common.base.Preconditions;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
 import com.velocitypowered.api.event.proxy.ListenerBoundEvent;
 import com.velocitypowered.api.event.proxy.ListenerCloseEvent;
 import com.velocitypowered.api.network.ListenerType;
@@ -28,14 +30,17 @@
 import io.netty.bootstrap.Bootstrap;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.Channel;
+import io.netty.channel.ChannelFuture;
 import io.netty.channel.ChannelFutureListener;
 import io.netty.channel.ChannelOption;
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.WriteBufferWaterMark;
+import io.netty.channel.unix.UnixChannelOption;
 import io.netty.util.concurrent.GlobalEventExecutor;
+import io.netty.util.concurrent.MultithreadEventExecutorGroup;
 import java.net.InetSocketAddress;
 import java.net.http.HttpClient;
-import java.util.HashMap;
+import java.util.Collection;
 import java.util.Map;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -50,7 +55,7 @@ public final class ConnectionManager {
   private static final WriteBufferWaterMark SERVER_WRITE_MARK = new WriteBufferWaterMark(1 << 20,
       1 << 21);
   private static final Logger LOGGER = LogManager.getLogger(ConnectionManager.class, new ParameterizedMessageFactory());
-  private final Map<InetSocketAddress, Endpoint> endpoints = new HashMap<>();
+  private final Multimap<InetSocketAddress, Endpoint> endpoints = HashMultimap.create();
   private final TransportType transportType;
   private final EventLoopGroup bossGroup;
   private final EventLoopGroup workerGroup;
@@ -92,7 +97,6 @@ public void logChannelInformation() {
   public void bind(final InetSocketAddress address) {
     final ServerBootstrap bootstrap = new ServerBootstrap()
         .channelFactory(this.transportType.serverSocketChannelFactory)
-        .group(this.bossGroup, this.workerGroup)
         .childOption(ChannelOption.WRITE_BUFFER_WATER_MARK, SERVER_WRITE_MARK)
         .childHandler(this.serverChannelInitializer.get())
         .childOption(ChannelOption.TCP_NODELAY, true)
@@ -103,26 +107,50 @@ public void bind(final InetSocketAddress address) {
       bootstrap.option(ChannelOption.TCP_FASTOPEN, 3);
     }
 
-    bootstrap.bind()
-        .addListener((ChannelFutureListener) future -> {
-          final Channel channel = future.channel();
-          if (future.isSuccess()) {
-            this.endpoints.put(address, new Endpoint(channel, ListenerType.MINECRAFT));
-            
-            // Warn people with console access that HAProxy is in use, see PR: #1436
-            if (this.server.getConfiguration().isProxyProtocol()) {
-              LOGGER.warn("Using HAProxy and listening on {}, please ensure this listener is adequately firewalled.", channel.localAddress());
-            }
+    if (server.getConfiguration().isEnableReusePort()) {
+      // We don't need a boss group, since each worker will bind to the socket
+      bootstrap.option(UnixChannelOption.SO_REUSEPORT, true)
+          .group(this.workerGroup);
+    } else {
+      bootstrap.group(this.bossGroup, this.workerGroup);
+    }
 
-            LOGGER.info("Listening on {}", channel.localAddress());
+    final int binds = server.getConfiguration().isEnableReusePort()
+        ? ((MultithreadEventExecutorGroup) this.workerGroup).executorCount() : 1;
 
-            // Fire the proxy bound event after the socket is bound
-            server.getEventManager().fireAndForget(
-                new ListenerBoundEvent(address, ListenerType.MINECRAFT));
-          } else {
-            LOGGER.error("Can't bind to {}", address, future.cause());
-          }
-        });
+    for (int bind = 0; bind < binds; bind++) {
+      // Wait for each bind to open. If we encounter any errors, don't try to bind again.
+      int finalBind = bind;
+      ChannelFuture f = bootstrap.bind()
+          .addListener((ChannelFutureListener) future -> {
+            final Channel channel = future.channel();
+            if (future.isSuccess()) {
+              this.endpoints.put(address, new Endpoint(channel, ListenerType.MINECRAFT));
+
+              LOGGER.info("Listening on {}", channel.localAddress());
+
+              if (finalBind == 0) {
+                // Warn people with console access that HAProxy is in use, see PR: #1436
+                if (this.server.getConfiguration().isProxyProtocol()) {
+                  LOGGER.warn(
+                      "Using HAProxy and listening on {}, please ensure this listener is adequately firewalled.",
+                      channel.localAddress());
+                }
+
+                // Fire the proxy bound event after the socket is bound
+                server.getEventManager().fireAndForget(
+                    new ListenerBoundEvent(address, ListenerType.MINECRAFT));
+              }
+            } else {
+              LOGGER.error("Can't bind to {}", address, future.cause());
+            }
+          });
+      f.syncUninterruptibly();
+
+      if (!f.isSuccess()) {
+        break;
+      }
+    }
   }
 
   /**
@@ -180,17 +208,20 @@ public Bootstrap createWorker(@Nullable final EventLoopGroup group) {
    * @param oldBind the endpoint to close
    */
   public void close(final InetSocketAddress oldBind) {
-    Endpoint endpoint = endpoints.remove(oldBind);
+    Collection<Endpoint> endpoints = this.endpoints.removeAll(oldBind);
+    Preconditions.checkState(!endpoints.isEmpty(), "Endpoint was not registered");
+
+    ListenerType type = endpoints.iterator().next().type();
 
     // Fire proxy close event to notify plugins of socket close. We block since plugins
     // should have a chance to be notified before the server stops accepting connections.
-    server.getEventManager().fire(new ListenerCloseEvent(oldBind, endpoint.type())).join();
-
-    Channel serverChannel = endpoint.channel();
+    server.getEventManager().fire(new ListenerCloseEvent(oldBind, type)).join();
 
-    Preconditions.checkState(serverChannel != null, "Endpoint %s not registered", oldBind);
-    LOGGER.info("Closing endpoint {}", serverChannel.localAddress());
-    serverChannel.close().syncUninterruptibly();
+    for (Endpoint endpoint : endpoints) {
+      Channel serverChannel = endpoint.channel();
+      LOGGER.info("Closing endpoint {}", serverChannel.localAddress());
+      serverChannel.close().syncUninterruptibly();
+    }
   }
 
   /**
@@ -199,24 +230,28 @@ public void close(final InetSocketAddress oldBind) {
    * @param interrupt should closing forward interruptions
    */
   public void closeEndpoints(final boolean interrupt) {
-    for (final Map.Entry<InetSocketAddress, Endpoint> entry : this.endpoints.entrySet()) {
+    for (final Map.Entry<InetSocketAddress, Collection<Endpoint>> entry : this.endpoints.asMap()
+        .entrySet()) {
       final InetSocketAddress address = entry.getKey();
-      final Endpoint endpoint = entry.getValue();
+      final Collection<Endpoint> endpoints = entry.getValue();
+      ListenerType type = endpoints.iterator().next().type();
 
       // Fire proxy close event to notify plugins of socket close. We block since plugins
       // should have a chance to be notified before the server stops accepting connections.
-      server.getEventManager().fire(new ListenerCloseEvent(address, endpoint.type())).join();
-
-      LOGGER.info("Closing endpoint {}", address);
-      if (interrupt) {
-        try {
-          endpoint.channel().close().sync();
-        } catch (final InterruptedException e) {
-          LOGGER.info("Interrupted whilst closing endpoint", e);
-          Thread.currentThread().interrupt();
+      server.getEventManager().fire(new ListenerCloseEvent(address, type)).join();
+
+      for (Endpoint endpoint : endpoints) {
+        LOGGER.info("Closing endpoint {}", address);
+        if (interrupt) {
+          try {
+            endpoint.channel().close().sync();
+          } catch (final InterruptedException e) {
+            LOGGER.info("Interrupted whilst closing endpoint", e);
+            Thread.currentThread().interrupt();
+          }
+        } else {
+          endpoint.channel().close().syncUninterruptibly();
         }
-      } else {
-        endpoint.channel().close().syncUninterruptibly();
       }
     }
     this.endpoints.clear();
@@ -246,8 +281,8 @@ public ServerChannelInitializerHolder getServerChannelInitializer() {
    */
   public HttpClient createHttpClient() {
     return HttpClient.newBuilder()
-            .executor(this.workerGroup)
-            .build();
+        .executor(this.workerGroup)
+        .build();
   }
 
   public BackendChannelInitializerHolder getBackendChannelInitializer() {