Security Configuration

Denizen-Reflect provides a powerful but potentially dangerous tool: direct access to Java. To protect your server from malicious scripts, the plugin uses a package whitelisting system, which is configured in the plugins/denizen-reflect/config.yml file.

security:
  # A list of Java packages that scripts are allowed to access via reflection.
  # IMPORTANT: Only add packages you trust. Granting access to sensitive packages
  # (like 'java.io' or 'java.net') can create severe security vulnerabilities on your server.
  # Each entry MUST end with a dot (.).
  allowed-packages:
    - "org."
    - "java."
    - "io."
    - "com."
    - "meigo."
    - "net."
    - "dev."

How It Works

When a script attempts to access a class (e.g., org.bukkit.entity.Player), denizen-reflect checks if the full class name starts with one of the strings listed in allowed-packages. If a match is found, access is granted. Otherwise, it is blocked.

Security Recommendations

The default configuration is insecure and intended for demonstration purposes only. It is strongly recommended that you restrict access by whitelisting only the packages that are strictly necessary for your scripts to function.

• For most Bukkit API tasks, the "org.bukkit." package will be sufficient.

• Be as specific as possible. Instead of whitelisting all of "java.", it is much safer to specify "java.util." or "java.time." to minimize risks.

• Never allow access to packages like java.io, java.net, or java.nio unless you are 100% certain of what you are doing.

Properly configuring this file is a critical aspect of using denizen-reflect securely on your server.