5.5 DEV build 2208

5.5 DEV build 2208

This dev release contains bugfixes, html customization equivalent for a React-bundle, and navigation improvements to Frontend BETA.

Changes from DEV build 2195

• Implemented public_html feature
• Mobile navigation and navigation button to Frontend BETA
• Fixed /plan reload when PlaceholderAPI is installed

Change log

Webserver

• Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
• Implemented public_html feature that allows hosting custom files from a configurable folder Webserver.Public_html_directory (default /plugins/Plan/public_html). This can be used to host http-challenge file for certbot and other files.

Frontend BETA

New frontend can be enabled with Plugin.Frontend_BETA-setting

• Use public_html for customizing React-bundle. See https://github.com/plan-player-analytics/Plan/wiki/Html-Customization--migration-guide-to-React on how to use the customization features with new frontend.
• Added a page navigation button that allows moving to different servers and other pages easily. This replaces the 'Back to main page' button.
  
• Improved mobile navigation. With the navigation button this should help mobile users a lot.
• Fixed network server list saying "No servers installed" while servers were being loaded.
• Fixed page translation issues

Database

• PlayerTableRowPatch should no longer be re-applied all the time
• Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
• Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement

PlaceholderAPI

• Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.

5.5 DEV build 2195

5.5 DEV build 2195

This dev release contains optimizations to the website loading speed.

Change log

Webserver

• Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.

Frontend BETA

• Fixed network server list saying "No servers installed" while servers were being loaded.

Database

• Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
• Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement

PlaceholderAPI

• Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.

5.5 build 2172 - CRITICAL security vulnerability fix

5.5 build 2172 - CRITICAL security vulnerability fix

This build contains a fix to a CRITICAL SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.

Yesterday (2023-01-14): Finding a minor Path Traversal security vulnerability lead to a throughout process of labeling all untrusted data in the codebase, and during that process a critical SQL Injection vulnerability was also discovered. When exploited successfully SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.

It is recommended to update as soon as possible, even though exploits for the vulnerability may not yet exist in the wild.

This is a first time a this high priority vulnerability affects Plan, so I'm a bit overwhelmed, but I'm hoping to address this vulnerability professionally by releasing a fix in a timely manner, and keeping exact details undisclosed for now to give users time to update.

The fix has been backported to build 1722 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1

Change Log

Fixed CRITICAL SQL Injection vulnerability

Details
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163

if login is enabled: Malicious users with permission level 1 (plan.player.other) or 0 (plan.server) can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.

Mitigation if you are unable to update

1. Enable https and login so that less users have access to the vulnerable endpoint.
   https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-%28HTTPS%29-Set-Up
2. Enable IP Whitelist so that less users have access to the vulnerable endpoint.

Webserver:
  Security:
    IP_whitelist:
      Enabled: true

3. if unable to update or secure the server, disable Plan Webserver. This option is good if you want to delay updating to a more convenient time.

Webserver:
  Disable_webserver: true

Other fixed security vulnerabilities

• [Minor] Fixed Path Traversal vulnerability where attacker could gain read access to .css, .js, .png, .woff, .woff2, .eot, .tff files anywhere on the host machine if Customized_files.Enable_web_dev_mode setting was set as true
• [Minor] Fixed XSS (Cross site scripting) vulnerability in Whitelist deny 403 -page when attacker routes traffic to Plan through a reverse-proxy with malicious X-Forwarded-For header
• Removed untrusted data from exception messages used within the plugin
  • [Minor] Prevented potential XSS vulnerabilities in Not Found page when untrusted data could enter the error message
  • [Minor] Prevented potential XSS vulnerabilities in Internal Server Error page when untrusted data could enter the error message
• [Minor] Prevented malicious Hello-packet from breaking Session serialization to CSV on server disable if join address had a ; character in it

Locale

• Updated Finnish (FI) Locale

5.4 build 1722.1

5.4 build 1722.1 - Backported critical security vulnerability fix to build 1722

This build contains a fix to a critical SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.

Refer to release https://github.com/plan-player-analytics/Plan/releases/tag/5.5.2172 for further details, and prefer newest version whenever possible if installing new versions. 5.4 is not actively maintained and the backport was created since 15% of servers still use build 1722.

5.5 build 2163

5.5 build 2163

This update contains performance improvements and subdirectory support for the new frontend.

Change log

Database

• Fixed concurrency bottleneck where write and read operations interfered with each other, limiting to one query or transaction from executing at the same time. This bottleneck occurred since the access-lock designed to prevent database operations during schema modifications was still enabled after the schema modifications already completed.
• Disabled BadAFKThresholdValuePatch - This patch was written to fix bad data input from version 4.5.2 which is no longer being used according to metrics, so this patch can be disabled. It was sometimes executed if a player joined a server and never moved.

Frontend BETA

Export features are now complete, up next is Html Customization.

• Implemented support and tests for reverse-proxy setups with subdirectory proxy_pass settings (Eg. address.com/plan/)
• Implemented support and tests for Export to a subdirectory (eg. /var/public_html/plan/ accessed from address.com/plan/)

Webserver

• Added a read-write lock to json_cache so that files are not read while being written. This might solve some randomly occurring issues.

Plugin Enable

• Incorrectly written lines in unsaved-sessions.csv during plugin disable are now ignored - a warning is printed instead of an exception stacktrace.

5.5 build 2150 - Hotfix

5.5 build 2150 - Hotfix

This update contains a hotfix to build 2144. New installations after build 2100 are not affected - The bug affected instances that were updated from versions prior to build 2100 on networks or fabric servers. Sorry for any inconvenience it has caused. More about the bug below.

Fixed bug in BadJoinAddressCorrectionPatch

An unfortunate typo in session to join address id correction code caused all sessions to get invalid join address id. Instead of correcting invalid ids to correct ids, it changed correct ids to incorrect ids. Any installations where the broken patch ran lost their join address data.

Symptoms of the bad patch:

• Playtime data too low or missing on player pages
• Activity index differs between player page and player list
• Join address data shows no data

Fixes in this update:

• Fixed the typo, now the patch works as intended and corrects join address ids.
• Added a second patch that attempts to recover at least some of the missing data by using latest join address in plan_user_info table for installations that ran the bad patch. This is a best-effort solution since the original data was deleted by the bad patch, so some granularity like player changing the address they have used in the past was lost.
• Playtime and activity index values should recover since the issue was caused by join address ids pointing to invalid numbers.

5.5 build 2144

5.5 build 2144

This build contains various bugfixes.

Change log

Join Address Data

• Any join address data that has null characters (gathering was fixed in previous update) is now cleaned on first startup - the data after null character is cleared, and the valid data kept. This should help with join address tab not loading in many cases. This was thoroughly unit tested to ensure it works properly.

Query page

• Fixed Query results erroring with 500 due to mistake in the code not placing boolean parameters in the query parameters.

Frontend BETA

• Fixed timezone not being applied to graphs (All line graphs)
• Fixed exported pages constantly updating data in the background

5.5 build 2121

5.5 build 2121

Another release to add 1.19.3 support to Fabric and release all the goodies developed since previous update :)

Special thanks to DrexHD for contributions to this update.

Change Log

Data gathering

• Local private network addresses (https://en.wikipedia.org/wiki/Private_network) are now detected as as 'Local Private Network' in Geolocations similar to how 127.0.0.1 is marked as 'Local Machine'.

Fabric

• DrexHD updated fabric code to be compatible with 1.19.3 changes

Frontend BETA

• Fixed login and register redirects to wrong place
• Fixed Playerbase overview 30 days and Now being wrong way around on the table
• React Export is now functional (At least on webservers that serve the bundle at /, further testing needed if your export is on /stats/ for example.)
  • If Frontend beta and export are enabled, the old html files are no longer exported.
  • Extra index.html files are exported to redirect back to the React bundle to allow sharing the URLs to others. This is because in the React frontend the address is handled by React Router and clicking most links on the pages makes no extra requests for html. Reloading on the other hand needs html file, so the extra files redirect to {address}/?redirect={address you used} - so that you end up where you want.
  • Exported pages have a different icon next to last refresh timestamp to visually distinguish from screenshots which one is being used.
  • Known issue with export: The json files are constantly being reloaded by the browser if they're old

5.5 build 2100 - 6 years of Plan!

5.5 build 2100 - 6 years of Plan!

This release contains a lot of things. Frontend BETA enters next phase since all pages have been rewritten in React, next steps are export and html customization implementation for it. This update also contains data gathering fixes, additions, new placeholders along with other bugfixes.

Today also marks 6th year of Plan development! As is customary at this point there's a Year in Review -post after the change log.

Special thanks to Vankka, angela0930 for contributions to this update

Change log

Data Gathering

• Removed data after null-byte in Join Address data. Bungeecord and Velocity use the handshake-packet to forward UUID and IP information of players, and since the join address comes from handshake packet, that data ended up in the join addresses Plan gathered. Forge Mod Loader forwards its version information in the same handshake packet in similar fashion. Discarding data after the null-byte should resolve any issues.

Frontend BETA

• Names of new players are now shown in Light Green in PvP tables when they are the player who was killed within 24h of their first join. This is to help find players who kill newer players.
• /query page has been rewritten in React.
• /register page has been rewritten in React
• Fixed plugin cards overlapping when moving to different page on a table
• Fixed /network/... redirecting to /network
• Fixed colors of buttons when hovering mouse on them

I'm excited, the frontend part of rewrite is complete and I can move to implementing export and html customization for the new frontend.

Export

• Experimental version of export for React version is now enabled if Frontend BETA and Export are both enabled. This will place index.html at the root of the export directory along with all the react files. I have not yet been able to test it properly, so it might be completely unusable. Just throwing it out there.

DataExtension API: Component API by Vankka

If your plugin's data contains chat colors or mini-message information, that information can now be included so that it will eventually show up on the website. Check documentation for the new API here

Extensions

• Vankka fixed error that occurred when deleting LuckPerms groups
• Vankka fixed LuckPerms not showing colors properly on the website

Placeholders

Added new placeholders

• %plan_time_active_{day/week/month}%
• %plan_time_active_{day/week/month}_raw%
• %plan_top_player_kills_{day/week/month/total}_{n}%

Locale

• angela0930 updated ZH_TW locale

Other

• Fixed ConcurrentModificationException related to world aliases
• Fixed some queries erroring in Strict group by mode for MySQL
• Fixed Ore not showing Plan sponge version
• Fixed removal of cookies that expired while server was offline
• Fixed RemoveUsernameFromAccessLogPatch applying every time
• Changed "Database can't keep up with transactions" to less dire message
• Fixed SQLITE_CONSTRAINT_NOTNULL when request uri is null

Year in review: Year 6

This year has been a lot different from the previous five, since there has been a lot more things going on in my personal life. Last year I got a job, and in January I started writing my Master’s thesis. It was very tough balancing all that on top of developing Plan on the side. I had to take some months off development entirely with a hiatus in the summer and fall to finish up the thesis. In September I returned the thesis for review and I’m happy to now have graduated! Things definitely calmed down after finishing up the thesis and resuming Plan development after the hiatus.

The running theme this year has been steady and stable changes. Inspired by the answers to last year’s poll, the goals for this year were to improve the loading speed of the website, as well as visualizing more of the gathered data.

There’s been a lot of work done this year towards those goals. The database schema was changed drastically, the webserver was changed to Jetty, and Frontend BETA is rewriting the code running in browser to React. Alone each change brings small improvements, but together they improve things a lot.
I’m very excited for the future, since the React frontend speeds up development of new things considerably thanks to environment where changes can be seen instantly. Previously I would have had to compile Plan and restart the test server – It takes 1 second vs 3 minutes it used to take to see changes now.

Main goals for 2023 is to get the new frontend out of Beta after feature parity with previous frontend is reached (Export and Html Customization still to go), and after that it’ll be time to tackle a lot of tickets with ’Visualization’ tag. A lot of the ongoing work has been done to make the future changes easier to do, which should speed up feature additions in the upcoming year.

I’m very happy that all the automation created in the past years is now finally paying off, helping keep confidence in that everything works as intended when changing something. I love that it’s now possible to deliver development builds fast, even within the same hour when someone is asking for help.

Special thanks to Github sponsors, donators, discord moderators, support, and contributors this year! Extra special thanks to Kopo & Vankka for their constant input into the project.

This year in numbers

• From build 1516 to build 2100: 584 commits released as updates
• From #43 to #20 in top plugins by rating – and keeping the #8 spot in top spigot plugins by rating.
• Installations has stayed stable at over 4000 servers
• From 59k lines of code to 64k (not counting extensions or web code)
• From 51.3% test coverage to 57.4%
• 194 issues and 32 (+247 dependabot) pull requests closed this year

Have a good one! :)

5.5 DEV build 2076

5.5 DEV build 2076

This dev release contains a lot of changes, let's dive in.

Special thanks to Vankka, angela0930 for contributions to this update

Change log

Data Gathering

• Removed data after null-byte in Join Address data. Bungeecord and Velocity use the handshake-packet to forward UUID and IP information of players, and since the join address comes from handshake packet, that data ended up in the join addresses Plan gathered. Forge Mod Loader forwards its version information in the same handshake packet in similar fashion. Discarding data after the null-byte should resolve any issues.

Frontend BETA

• Names of new players are now shown in Light Green in PvP tables when they are the player who was killed within 24h of their first join. This is to help find players who kill newer players.
• /query page has been rewritten in React.
• Fixed plugin cards overlapping when moving to different page on a table
• Fixed /network/... redirecting to /network
• Fixed colors of buttons when hovering mouse on them

I'm excited, the frontend part of rewrite is soon complete and I can move to implementing export and html customization for the new frontend.

DataExtension API: Component API by Vankka

If your plugin's data contains chat colors or mini-message information, that information can now be included so that it will eventually show up on the website. Check documentation for the new API here

Extensions

• Vankka fixed error that occurred when deleting LuckPerms groups
• Vankka fixed LuckPerms not showing colors properly on the website

Placeholders

Added new placeholders

• %plan_time_active_{day/week/month}%
• %plan_time_active_{day/week/month}_raw%
• %plan_top_player_kills_{day/week/month/total}_{n}%

Locale

• angela0930 updated ZH_TW locale

Other

• Fixed ConcurrentModificationException related to world aliases
• Fixed some queries erroring in Strict group by mode for MySQL
• Fixed Ore not showing Plan sponge version
• Fixed removal of cookies that expired while server was offline
• Fixed RemoveUsernameFromAccessLogPatch applying every time
• Changed "Database can't keep up with transactions" to less dire message
• Fixed SQLITE_CONSTRAINT_NOTNULL when request uri is null