ChangelogBook 2.2
Major Update - Security, Quality and Bug Fixes
Security Improvements
- Command Injection Fix: Player names in the reward system are now validated before any command is executed. Only alphanumeric names (3-16 characters) are accepted.
- Path Traversal Protection: Export and import operations now verify that file paths stay within the plugin folder. Overwriting critical files (config.yml, data.yml) is blocked.
- SSRF Prevention: Discord webhook URLs are validated to only allow official Discord endpoints.
- File Size Limits: Import operations are now capped at 10 MB and 10,000 entries to prevent server resource exhaustion.
- HTTP Timeouts: All outgoing HTTP requests now have a 5-second connection timeout and a 10-second read timeout.
- Discord Rate Limiting: Webhook requests are limited to 25 per 60 seconds to prevent API abuse.
- Thread Safety: Replaced HashMap with ConcurrentHashMap to prevent race conditions when multiple players join simultaneously.
- Error Logging: Replaced all printStackTrace() calls with proper logger output.
New Features
- Short Numeric IDs: Changelog entries now use simple numeric IDs (1, 2, 3) instead of long UUIDs. Much easier to reference in commands.
- Custom ID Support: Admins can assign custom readable IDs to entries (e.g., "update-1.19", "hotfix-tnt"). Alphanumeric characters, hyphens and underscores supported.
- Automatic Database Migration: Existing UUID-based entries are fully preserved and compatible with the new ID system.
- Content Validation: Entries are validated for minimum and maximum length (up to 5000 characters) before being saved.
Bug Fixes
- Notification Click Fix: Clicking the join notification now correctly opens the changelog list instead of the help menu.
- Health Check Language Fix: The /changelog health command now respects the configured language instead of always showing English.
- Suggestions Language Fix: The /changelog suggest command now uses translated messages.
- Tag List Fix: /changelog tag list now works correctly and no longer shows a usage error.
Technical Details
- Database Schema: ID column extended from VARCHAR(36) to VARCHAR(100) to support flexible ID formats.
- Backward Compatibility: All previously saved UUID entries remain fully functional.
- Requires: Paper / Spigot / Purpur 1.21+, Java 21
- Optional: PlaceholderAPI 2.11.6+, MySQL 8.0+
No configuration changes required. All existing settings remain compatible.