Merge remote-tracking branch 'origin/stable' into minor-next

.github/PULL_REQUEST_TEMPLATE.md

@@ -34,7 +34,10 @@ Requires translations:
 
 ## Tests
 <!--
-Details should be provided of tests done. Simply saying "tested" or equivalent is not acceptable.
-
-Attach scripts or actions to test this pull request, as well as the result
+PRs which have not been tested MUST be marked as draft.
 -->
+I tested this PR by doing the following (tick all that apply):
+- [ ] Writing PHPUnit tests (commit these in the `tests/phpunit` folder)
+- [ ] Playtesting using a Minecraft client (provide screenshots or a video)
+- [ ] Writing a test plugin (provide the code and sample output)
+- [ ] Other (provide details)

.github/workflows/draft-release.yml

@@ -86,7 +86,7 @@ jobs:
             ${{ github.workspace }}/build_info.json
 
       - name: Create draft release
-        uses: ncipollo/release-action@v1.13.0
+        uses: ncipollo/release-action@v1.14.0
         with:
           artifacts: ${{ github.workspace }}/PocketMine-MP.phar,${{ github.workspace }}/start.*,${{ github.workspace }}/build_info.json
           commit: ${{ github.sha }}

.github/workflows/main-php-matrix.yml

@@ -30,7 +30,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Setup PHP
-        uses: pmmp/setup-php-action@2.0.0
+        uses: pmmp/setup-php-action@3.1.0
         with:
           php-version: ${{ inputs.php }}
           install-path: "./bin"
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Setup PHP
-        uses: pmmp/setup-php-action@2.0.0
+        uses: pmmp/setup-php-action@3.1.0
         with:
           php-version: ${{ inputs.php }}
           install-path: "./bin"
@@ -96,7 +96,7 @@ jobs:
           submodules: true
 
       - name: Setup PHP
-        uses: pmmp/setup-php-action@2.0.0
+        uses: pmmp/setup-php-action@3.1.0
         with:
           php-version: ${{ inputs.php }}
           install-path: "./bin"
@@ -128,7 +128,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Setup PHP
-        uses: pmmp/setup-php-action@2.0.0
+        uses: pmmp/setup-php-action@3.1.0
         with:
           php-version: ${{ inputs.php }}
           install-path: "./bin"

changelogs/5.11.md

@@ -24,3 +24,22 @@ Consider using the `mcpe-protocol` directive in `plugin.yml` as a constraint if
 - Restructured GitHub Actions CI workflows to make them easier to maintain (no need to update PHP versions in multiple places anymore).
 - GitHub Actions CodeStyle workflow now uses php-cs-fixer 3.49.x.
 - Dependabot updates are now processed weekly instead of daily.
+
+# 5.11.1
+Released 23rd February 2024.
+
+## Fixes
+- Fixed subchunk count calculation in `ChunkSerializer` for non-overworld dimension (useful for dimension plugins).
+- Harden options used for processing JSON data, particularly on the network, to close security issues.
+
+## Documentation
+- Fixed PHPStan signature for `Utils::cloneObjectArray()`.
+
+## Internals
+- Updated GitHub Actions versions to get rid of deprecation warnings.
+
+# 5.11.2
+Released 26th February 2024.
+
+## Fixes
+- Added extra checks for `BookEditPacket` handling.

composer.json

@@ -32,7 +32,7 @@
       "ext-zlib": ">=1.2.11",
       "composer-runtime-api": "^2.0",
       "adhocore/json-comment": "~1.2.0",
-      "pocketmine/netresearch-jsonmapper": "~v4.2.1000",
+      "pocketmine/netresearch-jsonmapper": "~v4.4.999",
       "pocketmine/bedrock-block-upgrade-schema": "~3.5.0+bedrock-1.20.60",
       "pocketmine/bedrock-data": "~2.8.0+bedrock-1.20.60",
       "pocketmine/bedrock-item-upgrade-schema": "~1.7.0+bedrock-1.20.60",
@@ -52,7 +52,7 @@
       "symfony/filesystem": "~6.4.0"
    },
    "require-dev": {
-      "phpstan/phpstan": "1.10.57",
+      "phpstan/phpstan": "1.10.58",
       "phpstan/phpstan-phpunit": "^1.1.0",
       "phpstan/phpstan-strict-rules": "^1.2.0",
       "phpunit/phpunit": "~10.3.0 || ~10.2.0 || ~10.1.0"

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "8b860493cc27ba81e717153651a786b6",
+    "content-hash": "f43d60f8c44393f5c42b7ba27cd8ccc0",
     "packages": [
         {
             "name": "adhocore/json-comment",
@@ -562,16 +562,16 @@
         },
         {
             "name": "pocketmine/netresearch-jsonmapper",
-            "version": "v4.2.1000",
+            "version": "v4.4.999",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pmmp/netresearch-jsonmapper.git",
-                "reference": "078764e869e9b732f97206ec9363480a77c35532"
+                "reference": "9a6610033d56e358e86a3e4fd5f87063c7318833"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pmmp/netresearch-jsonmapper/zipball/078764e869e9b732f97206ec9363480a77c35532",
-                "reference": "078764e869e9b732f97206ec9363480a77c35532",
+                "url": "https://api.github.com/repos/pmmp/netresearch-jsonmapper/zipball/9a6610033d56e358e86a3e4fd5f87063c7318833",
+                "reference": "9a6610033d56e358e86a3e4fd5f87063c7318833",
                 "shasum": ""
             },
             "require": {
@@ -585,7 +585,7 @@
                 "netresearch/jsonmapper": "~4.2.0"
             },
             "require-dev": {
-                "phpunit/phpunit": "~7.5 || ~8.0 || ~9.0",
+                "phpunit/phpunit": "~7.5 || ~8.0 || ~9.0 || ~10.0",
                 "squizlabs/php_codesniffer": "~3.5"
             },
             "type": "library",
@@ -610,9 +610,9 @@
             "support": {
                 "email": "cweiske@cweiske.de",
                 "issues": "https://github.com/cweiske/jsonmapper/issues",
-                "source": "https://github.com/pmmp/netresearch-jsonmapper/tree/v4.2.1000"
+                "source": "https://github.com/pmmp/netresearch-jsonmapper/tree/v4.4.999"
             },
-            "time": "2023-07-14T10:44:14+00:00"
+            "time": "2024-02-23T13:17:01+00:00"
         },
         {
             "name": "pocketmine/raklib",
@@ -1379,16 +1379,16 @@
         },
         {
             "name": "phpstan/phpstan",
-            "version": "1.10.57",
+            "version": "1.10.58",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpstan.git",
-                "reference": "1627b1d03446904aaa77593f370c5201d2ecc34e"
+                "reference": "a23518379ec4defd9e47cbf81019526861623ec2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/1627b1d03446904aaa77593f370c5201d2ecc34e",
-                "reference": "1627b1d03446904aaa77593f370c5201d2ecc34e",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/a23518379ec4defd9e47cbf81019526861623ec2",
+                "reference": "a23518379ec4defd9e47cbf81019526861623ec2",
                 "shasum": ""
             },
             "require": {
@@ -1437,7 +1437,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-01-24T11:51:34+00:00"
+            "time": "2024-02-12T20:02:57+00:00"
         },
         {
             "name": "phpstan/phpstan-phpunit",

src/VersionInfo.php

@@ -31,7 +31,7 @@ use function str_repeat;
 
 final class VersionInfo{
 	public const NAME = "PocketMine-MP";
-	public const BASE_VERSION = "5.11.1";
+	public const BASE_VERSION = "5.11.3";
 	public const IS_DEVELOPMENT_BUILD = true;
 	public const BUILD_CHANNEL = "stable";
 

src/data/bedrock/block/upgrade/BlockStateUpgradeSchemaUtils.php

@@ -389,6 +389,9 @@ final class BlockStateUpgradeSchemaUtils{
 		}
 
 		$jsonMapper = new \JsonMapper();
+		$jsonMapper->bExceptionOnMissingData = true;
+		$jsonMapper->bExceptionOnUndefinedProperty = true;
+		$jsonMapper->bStrictObjectTypeChecking = true;
 		try{
 			$model = $jsonMapper->map($json, new BlockStateUpgradeSchemaModel());
 		}catch(\JsonMapper_Exception $e){

src/data/bedrock/item/upgrade/ItemIdMetaUpgradeSchemaUtils.php

@@ -88,6 +88,9 @@ final class ItemIdMetaUpgradeSchemaUtils{
 		}
 
 		$jsonMapper = new \JsonMapper();
+		$jsonMapper->bExceptionOnMissingData = true;
+		$jsonMapper->bExceptionOnUndefinedProperty = true;
+		$jsonMapper->bStrictObjectTypeChecking = true;
 		try{
 			$model = $jsonMapper->map($json, new ItemIdMetaUpgradeSchemaModel());
 		}catch(\JsonMapper_Exception $e){

src/network/mcpe/auth/ProcessLoginTask.php

@@ -124,6 +124,7 @@ class ProcessLoginTask extends AsyncTask{
 		$mapper = new \JsonMapper();
 		$mapper->bExceptionOnMissingData = true;
 		$mapper->bExceptionOnUndefinedProperty = true;
+		$mapper->bStrictObjectTypeChecking = true;
 		$mapper->bEnforceMapType = false;
 
 		try{
@@ -167,6 +168,7 @@ class ProcessLoginTask extends AsyncTask{
 		$mapper = new \JsonMapper();
 		$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
 		$mapper->bExceptionOnMissingData = true;
+		$mapper->bStrictObjectTypeChecking = true;
 		$mapper->bEnforceMapType = false;
 		$mapper->bRemoveUndefinedAttributes = true;
 		try{

src/network/mcpe/handler/InGamePacketHandler.php

@@ -878,8 +878,12 @@ class InGamePacketHandler extends PacketHandler{
 	}
 
 	public function handleBookEdit(BookEditPacket $packet) : bool{
+		$inventory = $this->player->getInventory();
+		if(!$inventory->slotExists($packet->inventorySlot)){
+			return false;
+		}
 		//TODO: break this up into book API things
-		$oldBook = $this->player->getInventory()->getItem($packet->inventorySlot);
+		$oldBook = $inventory->getItem($packet->inventorySlot);
 		if(!($oldBook instanceof WritableBook)){
 			return false;
 		}

src/network/mcpe/handler/LoginPacketHandler.php

@@ -169,6 +169,7 @@ class LoginPacketHandler extends PacketHandler{
 				$mapper->bEnforceMapType = false; //TODO: we don't really need this as an array, but right now we don't have enough models
 				$mapper->bExceptionOnMissingData = true;
 				$mapper->bExceptionOnUndefinedProperty = true;
+				$mapper->bStrictObjectTypeChecking = true;
 				try{
 					/** @var AuthenticationData $extraData */
 					$extraData = $mapper->map($claims["extraData"], new AuthenticationData());
@@ -197,6 +198,7 @@ class LoginPacketHandler extends PacketHandler{
 		$mapper->bEnforceMapType = false; //TODO: we don't really need this as an array, but right now we don't have enough models
 		$mapper->bExceptionOnMissingData = true;
 		$mapper->bExceptionOnUndefinedProperty = true;
+		$mapper->bStrictObjectTypeChecking = true;
 		try{
 			$clientData = $mapper->map($clientDataClaims, new ClientData());
 		}catch(\JsonMapper_Exception $e){

src/resourcepacks/ZippedResourcePack.php

@@ -108,6 +108,7 @@ class ZippedResourcePack implements ResourcePack{
 
 		$mapper = new \JsonMapper();
 		$mapper->bExceptionOnMissingData = true;
+		$mapper->bStrictObjectTypeChecking = true;
 
 		try{
 			/** @var Manifest $manifest */

src/updater/UpdateCheckTask.php

@@ -55,6 +55,7 @@ class UpdateCheckTask extends AsyncTask{
 				}else{
 					$mapper = new \JsonMapper();
 					$mapper->bExceptionOnMissingData = true;
+					$mapper->bStrictObjectTypeChecking = true;
 					$mapper->bEnforceMapType = false;
 					try{
 						/** @var UpdateInfo $responseObj */

src/utils/Utils.php

@@ -173,16 +173,17 @@ final class Utils{
 	}
 
 	/**
-	 * @phpstan-template T of object
+	 * @phpstan-template TKey of array-key
+	 * @phpstan-template TValue of object
 	 *
 	 * @param object[] $array
-	 * @phpstan-param T[] $array
+	 * @phpstan-param array<TKey, TValue> $array
 	 *
 	 * @return object[]
-	 * @phpstan-return T[]
+	 * @phpstan-return array<TKey, TValue>
 	 */
 	public static function cloneObjectArray(array $array) : array{
-		/** @phpstan-var \Closure(T) : T $callback */
+		/** @phpstan-var \Closure(TValue) : TValue $callback */
 		$callback = self::cloneCallback();
 		return array_map($callback, $array);
 	}