minecraft-paper-plugin

The codebase provides a flexible DB abstraction with multiple backends, which is feature-rich but introduces a notable security risk through type-informed deserialization on load. If untrusted data can be written to or manipulated within the databases, an attacker could influence the deserialization process by altering the stored value and its associated type. Redis path is inconsistent by returning a raw JSON string, which could complicate security guarantees. Overall, the systemic risk is centered around unsafe deserialization based on stored type metadata; other aspects (SQL usage, indexing, connection pooling) are sound. Recommend adding strict whitelisting/verification of allowed classes for deserialization, or implementing a safer, value-only storage without reconstructing arbitrary objects, plus validating and sandboxing deserialized data prior to Gson.fromJson. Consider decoupling type metadata or using explicit schemas for value reconstruction, and align Redis path behavior with the other backends to avoid inconsistency.