🌍 Language / Idioma / Língua / Langue / Язык / 语言
🇬🇧 English •
🇪🇸 Español •
🇧🇷 Português •
🇫🇷 Français •
🇷🇺 Русский •
🇨🇳 中文
This document provides detailed information about JDevTools' built-in security system.
JDevTools includes an enterprise-grade security system to protect your server from malicious code. The security scanner works in two phases:
Source Code → [AST Analysis] → Compilation → [Bytecode Verification] → Loading
↓ ↓
Security Issues Security Issues
↓ ↓
BLOCK / WARN / ALLOW BLOCK / WARN / ALLOW
| Detector | What it catches |
|---|---|
| RCE Detector | Runtime.exec(), ProcessBuilder, shell commands |
| JNDI Detector | Log4Shell-style injection patterns |
| Deserialization Detector | Unsafe ObjectInputStream usage |
| Reflection Detector | Dangerous reflection patterns (setAccessible, forName) |
| Obfuscation Detector | Suspicious variable names, encoded strings |
| Unsafe API Detector | sun.misc.Unsafe, native code loading |
| Combination Analyzer | Multi-pattern attack detection |
- Remote Code Execution (RCE)
- Shell command execution
- JNDI injection (Log4Shell)
- Unsafe deserialization
- Native code loading (
System.loadLibrary) - Security manager bypass
Thread.sleep()in main thread (causes lag)- Network connections (potential data exfiltration)
- Aggressive reflection usage
System.exit()calls
- Minor bad practices
- Deprecated API usage
Configure in config.yml:
security:
level: MODERATE # PARANOID, STRICT, MODERATE, PERMISSIVE| Level | CRITICAL | HIGH | MEDIUM | Use Case |
|---|---|---|---|---|
PARANOID |
BLOCK | BLOCK | WARN | Maximum security, whitelist-only |
STRICT |
BLOCK | WARN | ALLOW | Production servers |
MODERATE |
BLOCK | WARN | ALLOW | Development (default) |
PERMISSIVE |
WARN | ALLOW | ALLOW | Testing only |
Create or edit security.yml for granular control:
# Whitelist specific classes/methods
whitelist:
classes:
- "com.myserver.TrustedUtil"
methods:
- "com.example.MyClass.safeMethod"
# Blacklist custom patterns
blacklist:
patterns:
- "dangerousPattern"
# Trust specific plugin authors
trusted-authors:
- "Kazen"
# Advanced options
advanced:
allow-reflection: false # Allow Class.forName, Method.invoke
allow-networking: false # Allow Socket, URL connections
allow-file-io: true # Allow file read/write
allow-native-code: false # Allow System.loadLibrary
scan-dependencies: true # Scan downloaded JARs
verify-bytecode: true # Post-compilation verification
max-issues-before-block: 10 # Block after N HIGH issuesJDevTools scans dependencies for known vulnerabilities:
| CVE | Name | Severity |
|---|---|---|
| CVE-2021-44228 | Log4Shell (Log4j RCE) | CRITICAL |
| CVE-2022-22965 | Spring4Shell | CRITICAL |
| CVE-2021-42550 | Logback RCE | HIGH |
| CVE-2015-7501 | Apache Commons Collections | HIGH |
| ... | 30+ more CVEs | Various |
/jd cve update
Security reports are saved to plugins/JDevTools/security-reports/ and include:
- Detected issues with severity
- Line numbers in source code
- Recommended fixes
- Overall risk score
If you absolutely need to use blocked code:
- Whitelist specific classes in
security.yml - Set level to PERMISSIVE (warnings only)
- Use JVM flag (requires confirmation file):
Plus create file
-Djdev.unsafe=trueUNSAFE_MODE_CONFIRM.txtwith content:I_UNDERSTAND_THIS_DISABLES_ALL_SECURITY_<port>
Q: The security scanner blocked my legitimate code. What do I do?
A: Add the specific class or method to your whitelist in security.yml. Only whitelist code you fully trust.
Q: Can I disable the security scanner completely?
A: Yes, but it's strongly discouraged. Set security-level: PERMISSIVE in config.yml. The scanner will only warn, not block.
Q: Does the scanner slow down compilation?
A: Minimally. AST analysis adds ~100-200ms to compilation time.
Q: What happens when a threat is detected?
A: Depending on severity and your security level, JDevTools will either:
- BLOCK: Stop compilation and log the issue
- WARN: Continue but log a warning
- ALLOW: Continue silently
For more help, open a GitHub Issue - Discord coming soon!