Verify checksums of downloaded dependancies on startup.
BNTFryingPan opened this issue ยท 0 comments
Description
A relatively common issue we encounter in the LuckPerms discord is corrupt dependency downloads, causing NoClassDefFoundError
and ClassNotFoundException
(among others). LuckPerms currently only verifies the checksum of downloaded libraries after downloading, and only throws an exception (untested, but i assume on Bukkit, this causes the plugin to disable automatically). When starting the server, it appears the checksum is never verified, and will (attempt to) load the library as long as the file exists.
Proposed Behaviour
At the very least, LuckPerms should verify the checksums of dependencies before loading them. In a comment on issue #641 , Luck states that verifying the checksum "Prevents files from being altered on the remote server without out knowledge." However, it appears to me that if someone were to modify the remote file, it would successfully load that modified file on a subsequent restart of the server, assuming the file was left as-is.
A "nice to have" would be an automatic attempt at redownloading dependencies that do not match the expected checksum.
Extra Details
Decided to look into this because of #3872 , which was caused by killing the server while LP happened to be downloading dependencies, which I assume left a partially downloaded file there.