CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-21.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: https://github.com/google/guava

Path to dependency file: FastAsyncVoxelSniper/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar

Dependency Hierarchy:

• Paster-1.1.1.jar (Root Library)
  • ❌ guava-21.0.jar (Vulnerable Library)

Found in HEAD commit: 0649c58cb7de2f5347f14570533f13621fd97852

Found in base branch: main

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1-jre, 24.1.1-android

Step up your Open Source Security Game with WhiteSource here

What feature do you want to see added?

RE: 697158a

An option to disable the update notification in FastAsyncVoxelSniper, similar to FastAsyncWorldEdit.

FAWE

enabled-components:
  # Whether or not FAWE should notify you on startup about new versions available.
  update-notifications: false

Are there any alternatives?

No.

Anything else?

Useful if using development artifact builds for testing & wanting to reduce http calls.

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Library - guava-21.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: https://github.com/google/guava

Path to dependency file: FastAsyncVoxelSniper/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/21.0/3a3d111be1be1b745edfa7d91678a12d7ed38709/guava-21.0.jar

Dependency Hierarchy:

• Paster-1.1.1.jar (Root Library)
  • ❌ guava-21.0.jar (Vulnerable Library)

Found in HEAD commit: 0649c58cb7de2f5347f14570533f13621fd97852

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Step up your Open Source Security Game with WhiteSource here

Paper 1.16.4
FAWE build 552
FAVS-flattening build 17

Using /b line will work, but you cannot undo it. You can undo voxel brush strokes, though.

Is your feature request related to a problem? Please describe.
Back in the 1.13 release of FAVS, old brushes from the BetterBrushes plugin were added to FAWE, such as: /b eb melt or /b eb fill
In the newer releases of FAVS this brush is no longer a part of the plugin, while it is perhaps the most useful brush in the entire voxelsniper toolkit.

Describe the solution you'd like
Add the /b eb brushes back to FAVS for 1.14+

Describe alternatives you've considered
I've tried adding the old BetterBrushes plugin to my 1.16.2 server but it is incompatible and does not work at all.

Additional context
I found an older issue where IronApollo mentions putting it in the 1.13 version of FAVS, however it seems to have then gotten dropped afterward.

IntellectualSites/FastAsyncWorldEdit#45

Hello,

I create this issue to bring you back some bugs. FAWE version used: 1.15-172. FAVS version used: 1.0.3 dated March 31, 2020. Paper version used: Paper-201 1.15.2.

As soon as I start the server I have this warning:
[03:05:04] [Server thread / WARN]: [VoxelSniper] Loaded class com.sk89q.worldedit.extension.platform.Actor from WorldEdit v1.15-172; 330fc39 which is not a depend, softdepend or loadbefore of this plugin.

Also when I use FAVS with the /b e lift or /b e smooth commands it works for a few clicks and then nothing. I have no error in the console nor a warning in the chat.

Congratulations for the work done on the plugin and then some versions!

TheCalypso

Required Information

• FAVS Version Number (/version VoxelSniper):5.172.0
• Spigot/Paper Version Number (/version):1.12.2
• Minecraft Version: 1.12.2

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

[REQUIRED] FastAsyncVoxelSniper Configuration Files
https://athion.net/ISPaster/paste/view/be66988671ec45bda1daa14e78e468b1

Required Information

• FAVS Version Number (/version VoxelSniper): VoxelSniper version 1.0.4-backward
• Spigot/Paper Version Number (/version): git-Tuinity-"1382473" (MC: 1.16.5)
• Minecraft Version: 1.16.5

Describe the bug
This is a combination of bugs / features but this template is better for describing these problems. I'll just list the problems I've noticed in this issue rather than creating multiple issues.

Edits with VoxelSniper are not logged by FAWE but it would be very useful if they were, example of using /b v, /btool remove and then /brush inspect:

I'm not sure if this is a problem with other commands too but I noticed that with /btool there are no suggested tab completions:

Running /btool on its own to see if the server will explain how to use the subcommands just results in an error in console:

[12:57:31 ERROR]: null
org.bukkit.command.CommandException: Unhandled exception executing 'btool' in com.thevoxelbox.voxelsniper.command.Command(brush_toolkit)
        at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:169) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at org.bukkit.craftbukkit.v1_16_R3.CraftServer.dispatchCommand(CraftServer.java:810) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PlayerConnection.handleCommand(PlayerConnection.java:2258) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PlayerConnection.c(PlayerConnection.java:2073) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PlayerConnection.a(PlayerConnection.java:2026) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PacketPlayInChat.a(PacketPlayInChat.java:50) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PacketPlayInChat.a(PacketPlayInChat.java:8) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.PlayerConnectionUtils.lambda$ensureMainThread$1(PlayerConnectionUtils.java:55) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.TickTask.run(SourceFile:18) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.IAsyncTaskHandler.executeTask(IAsyncTaskHandler.java:136) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.IAsyncTaskHandlerReentrant.executeTask(SourceFile:23) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.IAsyncTaskHandler.executeNext(IAsyncTaskHandler.java:109) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.MinecraftServer.bb(MinecraftServer.java:1321) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.MinecraftServer.executeNext(MinecraftServer.java:1314) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.IAsyncTaskHandler.awaitTasks(IAsyncTaskHandler.java:119) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.MinecraftServer.sleepForTick(MinecraftServer.java:1290) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.MinecraftServer.w(MinecraftServer.java:1134) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at net.minecraft.server.v1_16_R3.MinecraftServer.lambda$a$0(MinecraftServer.java:290) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
        at com.thevoxelbox.voxelsniper.command.executor.BrushToolkitExecutor.executeCommand(BrushToolkitExecutor.java:35) ~[?:?]
        at com.thevoxelbox.voxelsniper.command.Command.execute(Command.java:46) ~[?:?]
        at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:159) ~[patched_1.16.5.jar:git-Tuinity-"1382473"]
        ... 18 more

To Reproduce
Steps to reproduce the behavior:
Explained in the bug section

Plugins being used on the server
BungeeGuard, FastAsyncWorldEdit (WorldEdit), LuckPerms, PlotSquared, spark, VoxelSniper

Checklist:

• I included all information required in the sections above
• I made sure there are no duplicates of this report (Use Search)
• I made sure I am using an up-to-date version of FastAsyncVoxelSniper for 1.16.4
• I made sure the bug/error is not caused by any other plugin

What feature do you want to see added?

I ask you to add language files for a more convenient translation of your plugin into other languages, I think many people will like this idea

Are there any alternatives?

Nope

Anything else?

Nope

Is your feature request related to a problem? Please describe.
Manually writing complex biome/item names is boring, a tab completion system would help users with basic operations.

Describe the solution you'd like
Add a tab completion handler to some brush params.

Describe alternatives you've considered
Add a method to brush interface to handle completion params, like commands.
Should simply return an empty list by default.

Additional context
Can be assigned to me, thanks ;)

Server Implementation

Paper

Server Version

1.18.2

Describe the bug

The splatter disc brush does not affect any blocks in heights less that 0,

To Reproduce

1. do /b sd
2. use any material
3. right-click any block that y is less than 0

Expected behaviour

splatter disc places blocks on any height

Screenshots / Videos

No response

Error log (if applicable)

No response

Favs Debugpaste

https://athion.net/ISPaster/paste/view/c33278a027324a68b1d8f1d287f31eaf

Favs Version

FastAsyncVoxelSniper version 2.3.1

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

Is your feature request related to a problem? Please describe.
This basically goes hand in hand with #60 trying to prevent VoxelSniper from doing things when I don't specifically want it to.
Some servers have terribly long uptimes or just want to stop persisting sessions over every logout/login so the said solution below would be nice.

Describe the solution you'd like
Configuration option to remove the sniping session of a player upon logout/login

Describe alternatives you've considered
See #60

I've installed FAWE and FAVS on my server, the latest versions I could find, and when I do commands such as /b over /b bb, it says in chat that the command has been done but when I try using the brush in the world, nothing seems to happen.

CVE-2020-15250 - Medium Severity Vulnerability

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: FastAsyncVoxelSniper/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.10/e4f1766ce7404a08f45d859fb9c226fc9e41a861/junit-4.10.jar

Dependency Hierarchy:

• paper-api-1.17.1-R0.1-SNAPSHOT.jar (Root Library)
  • json-simple-1.1.1.jar
    • ❌ junit-4.10.jar (Vulnerable Library)

Found in HEAD commit: 0649c58cb7de2f5347f14570533f13621fd97852

Found in base branch: main

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

Step up your Open Source Security Game with WhiteSource here

Bug report for FastAsyncWorldEdit 1.16.2

[REQUIRED] FastAsyncWorldEdit Configuration Files:

https://athion.net/ISPaster/paste/view/0e2cbd77df53487ba3d7bd30708946c1

[REQUIRED] FastAsyncWorldEdit Version Number:

FAWE version:

• Date Aug 30, 2020 12:00:00 AM
• Commit fb88ed69
• Build 328
• Platform Bukkit
  Wiki: https://wiki.intellectualsites.com/FastAsyncWorldEdit/index
  ------------------ Platforms ------------------

• Bukkit-Official(1.16-328;4771297)
  ---------------- Capabilities ----------------
  GAME_HOOKS: Bukkit-Official
  CONFIGURATION: Bukkit-Official
  USER_COMMANDS: Bukkit-Official
  PERMISSIONS: Bukkit-Official
  WORLDEDIT_CUI: Bukkit-Official
  WORLD_EDITING: Bukkit-Official

[REQUIRED] Spigot/Paper Version Number:

git-Paper-152 (MC: 1.16.2) (Implementing API version 1.16.2-R0.1-SNAPSHOT)

[REQUIRED] Description of the problem:

A player made /u 2 (for undo) and 10 second after there is a crash dump
here : https://pastebin.com/ZHnQNkj7

How to replicate:

Do /undo 2 and wait 10 second

Plugins being used on the server:

ArmorStandEditor, Autorank, BKCommonLib, BuildersUtilities, BungeeTabListPlus, Citizens, CraftingStore, Denizen, Depenizen, DiscordSRV, Essentials, EssentialsAntiBuild, EssentialsChat, EssentialsProtect, EssentialsSpawn, FastAsyncWorldEdit, goBrush, goPaint, HeadDatabase*, HolographicDisplays, IPWhitelist*, LightCleaner, LuckPerms, Multiverse-Core, PlaceholderAPI, Plan, PlotSquared, Prism, ProtocolLib, spark, Vault, ViaBackwards, ViaVersion, VoxelSniper, WorldBorder, WorldEdit, WorldGuard

Checklist:

• I included all information required in the sections above
• I made sure there are no duplicates of this report (Use Search)
• I made sure I am using an up-to-date version of FastAsyncWorldEdit for 1.16.2
• I made sure the bug/error is not caused by any other plugin

The official VoxelSniper wiki at https://voxelsniper.fandom.com/wiki/VoxelSniper_Wiki is offline for a few months now.
We would be grateful if someone has an offline copy and looks forward to share it with us to host it again on GitHub pages.

At the moment, the wiki does only exist in the web archive: https://web.archive.org/web/20210711121859/https://voxelsniper.fandom.com/wiki/VoxelSniper_Wiki

Server Implementation

Tuinity

Server Version

1.16.5

Describe the bug

Before everything:

Followed everything on this wiki provided on your GitHub page.
https://voxelsniper.fandom.com/wiki/VoxelSniper_Wiki

I pasted it on my Builders group in Luckperms and tried every possible permission and it still did not work for them.

I did a Luckperms verbose (Im Opped Btw) and it showed the exact same thing.

Am I missing something? please help me out/

To Reproduce

Expected behaviour

Screenshots / Videos

Error log (if applicable)

Fawe Debugpaste

Favs Version

FastAsyncVoxelSniper 2.2.2

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

None

Idea from @Aurelien30000: Rewrite SpiralStaircaseBrush.

- Add an arg to pass the width of the staircase. Voxel height is the default implemented arg for several brushes.
- Accept all stairs and steps.

Originally posted by @Aurelien30000 in #52 (comment)

When attempting to do /u on the latest version of FAVS I'm givin an error

"An internal error occurred while attempting to perform this command"

Paper dev 273 (Spigot 1.15.2)
FAWE dev 217
FAVS dev 14

FAWE Config
https://paste.ubuntu.com/p/5w2yRsq7S6/
VoxelSniper Config
https://paste.ubuntu.com/p/k8b9qB2cc5/

You can't change voxel brush type when you are holding anything in your hand other than air or arrow/gravel. For example if you are holding dirt and type /b s, it outputs Current toolkit not found..

Regression of #181

Looks like a bunch of strings are not in the strings.json file, like all captions in the DefaultExecutor class.

[REQUIRED] FastAsyncVoxelSniper Configuration Files
(my bad for the last post, when I pressed submit new issue there was no template in the text box)
Here is a debug paste - https://athion.net/ISPaster/paste/view/b6c982159c8d43d59ceccbba64806f73
Seemingly there is no more information Voxel other than a small config containing 4 lines

This is everything that was inside the config in the Voxel folder:
undo-cache-size: 20
message-on-login-enabled: true
litesniper-max-brush-size: 10
litesniper-restricted-materials:

Required Information

• FAVS Version Number (/version VoxelSniper): 1.0.3-backward
• Spigot/Paper Version Number (/version): Spigot_Latest_1.16.4.jar
• Minecraft Version: 1.16.4

Describe the bug
There could possibly be more that doesn't work, but when I do /b over or /b bb the commands seem to work in chat but nothing happens when I try to actually use the brushes.

And this is a picture of the commands supposedly working in chat

I felt it smart to record a short video of the brushes not actually working so here:
https://www.youtube.com/watch?v=ZdhuNF96ovI

To Reproduce
Steps to reproduce the behavior: I don't know how this would be reproduced

1. Run to '...' Not sure how this could be tested
2. Click on '....'
3. Scroll down to '....'
4. See error

Plugins being used on the server
Plugins (3): Vault, VoxelSniper, FastAsyncWorldEdit (WorldEdit)

Checklist:

• I included all information required in the sections above
• I made sure there are no duplicates of this report (Use Search)
• I made sure I am using an up-to-date version of FastAsyncVoxelSniper for 1.16.4
• I made sure the bug/error is not caused by any other plugin

What feature do you want to see added?

An update notification service polling updates on startup notifying whether a new update is available or not.

Are there any alternatives?

No

Anything else?

No response

Thank you again and again for precise review, pr is almost ready imo, needs some further testing though, brush by brush (I'll do it on my side on Saturday).

No more changes due to lack of time to devote to FAVS, huge inconsistencies with for instance spiral stair case brush will be addressed later, I will try for the end of August.

Originally posted by @Aurelien30000 in #50 (comment)

Server Implementation

Spigot

Server Version

1.19

Describe the bug

When lauching the plugin, i always have an error (picture)

To Reproduce

I'm on Windows10 / Spigot 1.19 / Java 17 / FastAsyncWorldEdit-Bukkit-2.4.2.jar / fastasyncvoxelsniper-2.6.0.jar

Your work look awesome but we can't use it.

Your's,
SouriCat

Expected behaviour

launch the plugin without error

Screenshots / Videos

No response

Error log (if applicable)

No response

Favs Debugpaste

fastasyncvoxelsniper-2.6.0.jar

Favs Version

fastasyncvoxelsniper-2.6.0.jar

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

Server Implementation

Paper

Server Version

1.18.2

Describe the bug

Similar to the splatter disc issue before, the fill-down command does not fill below the height of 0.

To Reproduce

1. /b fd
2. use any material
3. right-click on any heights above zero

Expected behaviour

it should fill blocks down with the desired material until it intersects another block

Screenshots / Videos

No response

Error log (if applicable)

No response

Favs Debugpaste

https://athion.net/ISPaster/paste/view/757d4e1791e4407fbaf2a5d12023ffc7

Favs Version

FastAsyncVoxelSniper version 2.3.2

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

I'm playing on 1.15.2

[18:48:25 ERROR]: An unexpected error while handling a WorldEdit command
java.lang.UnsupportedOperationException: Queue is not interface com.boydti.fawe.object.extent.LightingExtent
at com.boydti.fawe.FaweAPI.fixLighting(FaweAPI.java:435) ~[?:?]
at com.sk89q.worldedit.command.RegionCommands.fixLighting(RegionCommands.java:155) ~[?:?]
at com.sk89q.worldedit.command.RegionCommandsRegistration.cmd$_fixlighting(RegionCommandsRegistration.java:615) ~[?:?]
at org.enginehub.piston.CommandManager.execute(CommandManager.java:158) ~[?:?]
at com.sk89q.worldedit.extension.platform.PlatformCommandManager.lambda$handleCommandOnCurrentThread$15(PlatformCommandManager.java:685) ~[?:?]
at com.sk89q.worldedit.extension.platform.PlatformCommandManager.handleCommandTask(PlatformCommandManager.java:701) ~[?:?]
at com.sk89q.worldedit.extension.platform.PlatformCommandManager.handleCommandOnCurrentThread(PlatformCommandManager.java:687) ~[?:?]
at com.sk89q.worldedit.extension.platform.PlatformCommandManager.lambda$handleCommand$13(PlatformCommandManager.java:657) ~[?:?]
at org.bukkit.craftbukkit.v1_15_R1.scheduler.CraftTask.run(CraftTask.java:84) ~[patched_1.15.2.jar:git-Paper-105]
at org.bukkit.craftbukkit.v1_15_R1.scheduler.CraftAsyncTask.run(CraftAsyncTask.java:54) ~[patched_1.15.2.jar:git-Paper-105]
at com.destroystokyo.paper.ServerSchedulerReportingWrapper.run(ServerSchedulerReportingWrapper.java:22) ~[patched_1.15.2.jar:git-Paper-105]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]

What feature do you want to see added?

Fawe has the capability to use block categories, such as ##leaves you can use as material input. Fawe already maintains a list of valid block categories the game provides, so Favs can utilize it with ease.

Are there any alternatives?

No

Anything else?

No response

Back in FAWE 1.13, I believe IronApollo had added in the erode + blend macro that is found in the old BetterBrushes plugin back into FAVS. When using FAWE 1.16 on paper 1.16.4 with the latest FAVS build, it does not appear that betterbrushes is included (e.g. the /b eb lift command).

From my understanding it's just a macro of running erode and blend in the same brush click. Could that be added back?

Is your feature request related to a problem? Please describe.

It's always annoying as a server operator trying to do anything, like accidentally clicking a sign with a gunpowder / clicked something with arrow, the block just disappears out of nowhere.

Describe the solution you'd like

A thing in config to tell the plugin it's disabled for players but still can be used by other plugins

Describe alternatives you've considered

Disabling the permission specifically

Additional context
none

Paper dev 273 (Spigot 1.15.2)
FAWE dev 217
FAVS dev 14

FAWE Config
https://paste.ubuntu.com/p/5w2yRsq7S6/
VoxelSniper Config
https://paste.ubuntu.com/p/k8b9qB2cc5/

• /b s
• /b 1
• /v air

When you snipe a block with the arrow, it leaves the removed block with black lighting.

lighting:
  # If packet sending should be delayed until relight is finished
  delay-packet-sending: true
  async: true
  # The relighting mode to use:
  #  - 0 = None (Do no relighting)
  #  - 1 = Optimal (Relight changed light sources and changed blocks)
  #  - 2 = All (Slowly relight every blocks)
  mode: 2
  # If existing lighting should be removed before relighting
  remove-first: true

Also tested with

lighting:
  # If packet sending should be delayed until relight is finished
  delay-packet-sending: false
  async: true
  # The relighting mode to use:
  #  - 0 = None (Do no relighting)
  #  - 1 = Optimal (Relight changed light sources and changed blocks)
  #  - 2 = All (Slowly relight every blocks)
  mode: 1
  # If existing lighting should be removed before relighting
  remove-first: false

Server Implementation

Paper

Server Version

1.17.1

Describe the bug

Any time I place a ball of material it says "No free spot ahead of you found" except I am placing blocks and I am aiming at an area.

To Reproduce

1. Set material
2. Get the arrow
3. Set brush to ball
4. Place blocks

Expected behaviour

Remove message unless it's needed

Screenshots / Videos

Error log (if applicable)

No response

Favs Debugpaste

[Server] INFO The_Jedi issued server command: /vs debugpaste
[Server] INFO The_Jedi issued server command: /vs debugpaste
[Server] ran command: vs debugpaste 28.09 00:57:58
[Server] ran command: /vs debugpaste 28.09 00:57:58
[Server] INFO Unknown command. Type "/help" for help.

Favs Version

FastAsyncVoxelSniper version 2.2.2

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

WS-2021-0419 - High Severity Vulnerability

Vulnerable Libraries - gson-2.8.8.jar, gson-2.8.0.jar

gson-2.8.8.jar

Library home page: https://github.com/google/gson

Path to dependency file: FastAsyncVoxelSniper/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar

Dependency Hierarchy:

• Paster-1.1.1.jar (Root Library)
  • ❌ gson-2.8.8.jar (Vulnerable Library)

gson-2.8.0.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: FastAsyncVoxelSniper/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.0/c4ba5371a29ac9b2ad6129b1d39ea38750043eff/gson-2.8.0.jar

Dependency Hierarchy:

• Paster-1.1.1.jar (Root Library)
  • ❌ gson-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 0649c58cb7de2f5347f14570533f13621fd97852

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Step up your Open Source Security Game with WhiteSource here

Server Implementation

Paper

Server Version

1.16.5

Describe the bug

Hey all,

I believe there was a merge and/or code refactor issue that has resulted in the Clone Stamp tool to no longer place correctly. I believe the issue lies in the following code:

https://github.com/IntellectualSites/FastAsyncVoxelSniper/blob/main/src/main/java/com/thevoxelbox/voxelsniper/brush/type/stamp/AbstractStampBrush.java#L80-L88

The value of clampY is not used, nor is it required in this method. Additionally, the call to setBlockData sets the data at the target position for every block in the clone. This should have the delta position applied.

A working version of this method looks like the following:

    protected void setBlock(StampBrushBlockWrapper blockWrapper) {
        BlockVector3 targetBlock = getTargetBlock();

        setBlockData(
                targetBlock.getX() + blockWrapper.getX(),
                targetBlock.getY() + blockWrapper.getY(),
                targetBlock.getZ() + blockWrapper.getZ(),
                blockWrapper.getBlockData()
        );
    }

To Reproduce

1. Enable a clone stamp brush /b cs a (for the no-air mode)
2. Set a brush size and height /b 5 /vh 5
3. Use the gunpowder to create a stamp
4. Use the arrow to paste said stamp, observe only 1 block being placed

Expected behaviour

All blocks within a selection should be pasted.

Screenshots / Videos

No response

Error log (if applicable)

No response

Favs Debugpaste

N/A

Favs Version

FastAsyncVoxelSniper 2.2.4

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

Currently we run the update checker task every 6 hours. We don't push updates much frequent to utilize these 6 hours.
I guess, we can either make it configurable or run every 12/24 hours?
I'm open for suggestions.

The idea is to utilize GitHub actions in the same way we publish releases to OSSRH, we can do the same to dev.bukkit.org.
The way to do that is pretty much straight forward, see https://support.curseforge.com/en/support/solutions/articles/9000197321-curseforge-api

The VoxelHeightExecutor and VoxelCenterExecutor catch ArrayIndexOutOfBoundsException's but refer to the array in the next line:
https://github.com/IntellectualSites/FastAsyncVoxelSniper/blob/c18e69605c146588492a8f8493139ebf7252e9ae/src/main/java/com/thevoxelbox/voxelsniper/command/executor/VoxelCenterExecutor.java#L39-L44
If no input is provided, an AIOOBE is thrown again, because the array we're referring to is empty.

What feature do you want to see added?

Exchange java logging with Log4J. Due Log4J being a native dependency provided by the minecraft server itself, we can utilize it with ease.

Are there any alternatives?

No

Anything else?

No response

Server Implementation

Paper

Server Version

1.18.1

Describe the bug

I have old stencils made using Voxel Sniper that doesn't load. However, if i create new one they work as expected.

To Reproduce

1. place the file in Plugins\FastAsyncVoxelSniper\stencils
2. Type /b stencil fill [Stencil Name]
3. Use gunpowder to place the stencil

stencils.zip

Expected behaviour

The stencil should be placed.

Screenshots / Videos

No response

Error log (if applicable)

https://paste.gg/p/anonymous/dd941350c70f4c44a7d4b1f42854b027

Favs Debugpaste

https://athion.net/ISPaster/paste/view/61c10fcfe0ed49438790aeac5f139ea0

Favs Version

2.3.0

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

No response

[10:02:58] [Server thread/INFO]: NotMyFault issued server command: /b b
[10:02:58] [Server thread/ERROR]: null
org.bukkit.command.CommandException: Unhandled exception executing 'b b' in com.thevoxelbox.voxelsniper.command.Command(brush)
	at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:156) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at org.bukkit.craftbukkit.v1_17_R1.CraftServer.dispatchCommand(CraftServer.java:770) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.network.PlayerConnection.handleCommand(PlayerConnection.java:1931) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.network.PlayerConnection.a(PlayerConnection.java:1770) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.network.PlayerConnection.a(PlayerConnection.java:1751) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.network.protocol.game.PacketPlayInChat.a(PacketPlayInChat.java:46) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.network.protocol.game.PacketPlayInChat.a(PacketPlayInChat.java:1) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.network.protocol.PlayerConnectionUtils.lambda$0(PlayerConnectionUtils.java:30) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.TickTask.run(SourceFile:18) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.util.thread.IAsyncTaskHandler.executeTask(SourceFile:151) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.util.thread.IAsyncTaskHandlerReentrant.executeTask(SourceFile:23) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.util.thread.IAsyncTaskHandler.executeNext(SourceFile:125) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.MinecraftServer.bf(MinecraftServer.java:1133) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.MinecraftServer.executeNext(MinecraftServer.java:1126) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.util.thread.IAsyncTaskHandler.executeAll(SourceFile:110) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.MinecraftServer.sleepForTick(MinecraftServer.java:1109) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.MinecraftServer.x(MinecraftServer.java:1039) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at net.minecraft.server.MinecraftServer.lambda$0(MinecraftServer.java:303) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	at java.lang.Thread.run(Thread.java:831) [?:?]
Caused by: java.lang.NoSuchMethodError: 'boolean org.bukkit.Material.isEmpty()'
	at com.thevoxelbox.voxelsniper.sniper.Sniper.getCurrentToolkit(Sniper.java:74) ~[?:?]
	at com.thevoxelbox.voxelsniper.command.executor.BrushExecutor.executeCommand(BrushExecutor.java:44) ~[?:?]
	at com.thevoxelbox.voxelsniper.command.Command.execute(Command.java:46) ~[?:?]
	at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:149) ~[spoogot.jar:3204-Spigot-18c71bf-3ad0fb1]
	... 18 more)

Named method is Paper only, we should handle these gracefully.

As discussed internally, we want to move all deployed projects under the com.intellectualsites.<project> namespace.

TODO

• Prepare repository: #165
• Turn off synchronization of com.fastasyncvoxelsniper of the central repository.
• Request the creation of a new staging & release database: https://issues.sonatype.org/browse/OSSRH-81681
  • Grant core team members release permissions, add @Aurelien30000 if desired.
• Draft a new release to turn on sync with the OSSRH.

What feature do you want to see added?

Is there a guide for this? Unfortunately, the wiki no longer exists.

Are there any alternatives?

No

Anything else?

No response

[REQUIRED] FastAsyncVoxelSniper Configuration Files
https://athion.net/ISPaster/paste/view/f4a38642ffe24b2f993c23e940ecdb39

Required Information

• FAVS Version Number (/version VoxelSniper): VoxelSniper version 1.0.4-backward
• Spigot/Paper Version Number (/version): git-Tuinity-"1382473" (MC: 1.16.5)
• Minecraft Version: [1.16.5]

Describe the bug
When using /brush inspect with an arrow and then right clicking a block VoxelSniper will remove the block:

I'm sure this affects other brushes too but it is most noticeable with brushes that are not supposed to change blocks, FAWE and VoxelSniper are both running separate actions with the same tool. Would it be possible to make it so that an item can only be assigned an FAWE function or a VoxelSniper function. Binding /brush inspect to an arrow for example should prevent VoxelSniper operations from going through, unbinding the brush with /brush none should then allow VoxelSniper operations to be used again. As of right now players need to use /btool remove on an arrow before using FAWE brushes every time the server restarts to avoid both plugins from running separate actions.

To Reproduce
Steps to reproduce the behavior:

1. Get an arrow and use /brush inspect
2. Right click with the arrow on the ground

Plugins being used on the server
BungeeGuard, FastAsyncWorldEdit (WorldEdit), LuckPerms, PlotSquared, spark, VoxelSniper

Checklist:

• I included all information required in the sections above
• I made sure there are no duplicates of this report (Use Search)
• I made sure I am using an up-to-date version of FastAsyncVoxelSniper for 1.16.4
• I made sure the bug/error is not caused by any other plugin

Server Implementation

Paper

Server Version

1.17.1

Describe the bug

If you try to set /b eb melt with arrow in hand it returns the following error, and only applies /b e melt

Invalid brush parameters! Use the "info" parameter to display parameter info.|

Please see the following image to see the difference between e and eb:
https://user-images.githubusercontent.com/6114858/78985406-fe163d00-7b28-11ea-8195-6b442f3aa91e.png

To Reproduce

1. Join server with latest FAVS (2.2.2)
2. Hold arrow in hand
3. Use command /b eb melt
4. See the error shown

Expected behaviour

The command /b eb melt should apply the erode brush properly to the tool

Screenshots / Videos

No response

Error log (if applicable)

No response

Fawe Debugpaste

https://athion.net/ISPaster/paste/view/daa83070c03c4295b5cf9a79643374cd

Favs Version

FAVS ver 2.2.2

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://dev.bukkit.org/projects/favs and the issue still persists.

Anything else?

Please dm me in Discord for whitlist to our server so you can test if needed :)

Fetxu#6808

What feature do you want to see added?

I would like to be able to use the fill-down brush to a certain height,
this is useful for when I make builds in the air.

Command format: /b filldown y (height)

The default fill-down height is -64

Example:
/b filldown y 100
If I use the fill down command at anything above 100, it should fill down to 100, anything below that will not work

Are there any alternatives?

Since the fill-down brush just fills until it intersects with another block I used a flat plane.
But sometimes It will reach outside that plane when I work on the edges of the map and it will fill down to the void.

Anything else?

No response

/b eb is only aware of the following arguments:

However, using a valid argument like /b eb fill triggers the info parameter but applies the brush too:

git-Purpur-1171
FastAsyncVoxelSniper 2.2.2
Luckperms 5.3.67

Tried everything and its still not working.
I did a verbose on Luckperms and it showed this permissions which is exactly the same shown in the permission lists in the wiki.

Now I pasted it on my Builder group and its still not working


and more.

Please help me out
ShockCharge.

Idea from @JayemCeekay: For some brushes like erode, I would be in favor of leaving the choice, an individual command per arg, as well as a general command for all args.

- Should be addressed when switching to cloud.

Originally posted by @Aurelien30000 in #52 (comment)

Is your feature request related to a problem? Please describe.
Players on my server and I are frustrated when we log in and use the arrow by accident and make small holes everywhere in the map. Most of the time you don't even notice you are deleting blocks (when playing as an archer) that you are removing blocks very far away. These holes have to be cleaned up afterward and other players report them as an issue/bug to our staff team causing us huge amounts of work sometimes.

Describe the solution you'd like
A configuration option to disable sniping by default would be a perfect solution.

Describe alternatives you've considered
Logging in and typing /vs disable every time (current situation) or writing a script that does it for everyone.