[ACE] Arbitrary Code Execution - Execute Java code in chat or console

Definitely at least lock this down to just OP users (are permissions available in Sponge yet?) in case somebody gets overly curious.

And have it display a big warning on startup.

And yes, don’t distribute compiled binaries, make them compile it first.

You never can be too careful.

We aren’t going to strike down binaries or the like. How about we stop handholding and make admins have a degree of responsibility by making sure they don’t have out the perms to this plugin’s commands out willy nilly eh?

3 Likes

I’ll only stop providing binaries if this becomes an issue. I thought about using compilation as a test to potential users, but right now I see no need for it.

I might also take a look at the Java security system, see if I can lock down shell and system access.

Not saying you should start doing too much hand-holding, but making something a bit more idiot-proof is never a bad thing.

If someone is determined to do something bad, you really can’t and shouldn’t have to stop them, but don’t make it TOO easy for them.

Don’t go out of your way to make a crazy analysis and security system, just take a few simple steps that aren’t too difficult.

Namely: If it is easy to restrict permissions to OPs, do that. That’s pretty much it; it will really mitigate a lot of the damage, but if anyone is really determined, well, they were warned.

The “clean access” of this system is the selling point, I’d avoid cluttering it up with security barriers.

New release!

Last demo before alpha. Next release will support arrays completely.

This release adds, most notably, support for varargs arguments.

1 Like

Finally, the first alpha release. This is no longer a demo!

This version adds complete support for arrays. It also includes a bunch of bug fixes, to the type checker mostly (I guess spending a day writing a complete test suite for the evaluator was worth it).

You can also buffer code for later evaluation by ending it with the ‘#’ character. It will be appended to a buffer. If the code doesn’t end with ‘#’, the buffer is flushed and everything is evaluated as one long string.

There will be a period of calm until the SpongeAPI implementations start getting more widely used. This means only bug fix updates.

Hey @DDoS. I am really interrested in this project of yours. I hope you will update your ACE plugin to the newest version og SpongeAPI and JICI.

This looks like a really good plugin to have while trying to debug variables in plugins and Sponge. In addition, if you could add a “flag” in a configfile to disable and enable the command as well as only allowing players with explicit permission to execute the command.

PS: Sorry not sorry for bumping this old thread.

I was supposed to release a new version a month ago but I encountered a very tricky issue with type variable cycles, just when I thought I was ready for the release. Since then I’ve put it on hold, and have been on a programming break.

My break is going to be over soon, and I think I can resolve the issue easily, but inaccurately, by breaking cycles instead of trying to support them

Give me a week and I’ll hopefully have a new version out with a better interpreter. It won’t have the extra permission stuff, but generics support will make it much nicer.

Perfect, thank you. The permission stuff is easy to fix with events so no problem.

New release, after a long long time!

This version brings generic support, all of it, except type inference. This means there is no diamond operator support and that generic methods must be passed type arguments explicitly (using the syntax target.<typeArgs...>method(args).

Some complicated cases of generics (like self referencing type variables, which look like C<T extends C>) aren’t very well supported, which might cause issues with classes that use them (such as DataManipulator).

There are also quite a few improvements to the overall evaluator code, such as better error highlighting.

Download link is in the original post.

I’ll be moving the project to Ore soon also.

1 Like