WebServer: Switch to Netty

[OoLunar]

Summary

This PR switches off from HTTPServer to Netty to fix several vulnerabilities while still remaining efficient. The motivation for this PR is to allow for bigger servers to use the webserver without worrying about malicious users trying to trojan horse the server. Additionally closes #150.

Notable Changes

• config.yml: Replaces UploadService.DisplayURL, UploadService.WebServer.Host, and UploadService.WebServer.Port with UploadService.BaseURI.
  • BaseURI uses an HTTP URI, which naturally includes all of the above information while also giving the user more control over what the server is listening on and more compatibility with other web services hosted on the same domain name.
• ImageUploadManager: Switched away from HttpServer to Netty, fixing several vulnerabilities and including several optimizations:
  • While your usage of HttpServer was fairly functional, Netty has a lot of built in security checks to prevent common malicious attacks. It's also more compliant with the HTTP protocol, which would prevent edge case bugs that weren't covered by the manual implementation of multipart requests within POST /upload.
  • Prevents path traversal exploits by fully resolving paths and checking the path against the root directory before attempting to open up the file. This also prevents symlink escapes.
  • Prevents file type confusion (MIME content types) and XSS attacks by using Files.probeContentType and setting the proper secure headers.
  • Prevents memory exhaustion DoS attacks by saving file uploads to disk instead of memory. Files smaller than 1MB (configurable) are still saved to memory for efficiency. Additionally makes usage of file streaming instead of completely loading files from disk into memory.
  • Prevents common polyglot file attacks by re-encoding the image.
  • Prevents compression bombs by verifying the image dimensions before processing the rest of the image data (max image dimensions are configurable).
• Additionally I updated the Spigot and Paper maven URL's since they were both deprecated.

Notes

Untested! While I was able to verify the code compiles, I wasn't able to build the jar file due to a dependency on ImageFrame-Parent, which I wasn't able to find. If you could answer my question on your Discord, that'd be greatly appreciated and I'd be happy to test the changes myself.

If you have any questions, you're welcome to drop them below. If you have nitpicks on code style or implementation decisions, I encourage you to merge the PR and then push your changes afterwards.