Why was reflection removed? | latcord | Page 1

fringe monolith Oct 29, 2025, 9:20 AM

#

Maybe this isn't the best place to ask this, but theres a lot of things I could do if reflection was available like in 1.20. I read that it was removed due to security, but a modpack creator could just include a custom mod in their pack that could do the exact same damage. It seems like more of an annoying limitation than anything.

dusk hareBOT Oct 29, 2025, 9:20 AM

#

Once your ticket has been resolved, please close it with </ticket close:1054771505520717835> command!

fringe monolith Oct 29, 2025, 9:23 AM

#

A mod could also just mixin into kubejs and skip the class filter. Which I might end up doing tbh

echo gorge Oct 29, 2025, 9:29 AM

#

Imagine a malicious script that bypasses the class filter like this:
https://github.com/YukkuriC/kubejs_playground/blob/main/startup_scripts/reflection/ClassFilterUnlocker.js
and then does practically anything, including accessing sun.misc.Unsafe to:

access methods that aren't memory safe but are meant to be used by built-in Java libraries for performance
modify private fields of classes.
access web request and file access libraries.

fringe monolith Oct 29, 2025, 9:30 AM

#

Again you can do all of that in a mod

candid spear Oct 29, 2025, 9:31 AM

#

Yeah, but that doesn't mean they should allow someone the easier access of doing the bad thing just because there's some other avenue.

fringe monolith Oct 29, 2025, 9:32 AM

#

Imo it isn't easier, because if you know how to do that, then you probably know how to code and make mods anyway. It seems mainly like a nerf to kube

#

Mods and packs are vetted by curseforge and modrinth too

candid spear Oct 29, 2025, 9:35 AM

#

Then do it through a mod instead of letting KubeJS do it. It's much easier to make a startup script then make a java mod. I install KubeJS put a js file in a folder, and that's it.

fringe monolith Oct 29, 2025, 9:40 AM

#

Fair play, it just feels like it goes against the spirit of something like kube which is meant for scripting and mashing together features of mods. A lot of the time you'll need to access private things

#

Most usages of kube are covered by the api, so I do understand there not being a bigger demand for reflection

hollow steeple Oct 29, 2025, 10:02 AM

#

fringe monolith Mods and packs are vetted by curseforge and modrinth too

lol @ packs being vetted by curseforge

#

they would have to know kubejs to vet each script individually

#

so all they do is check for is this mod in the approved list?

fringe monolith Oct 29, 2025, 10:07 AM

#

I guess the filter could default allow all classes, and then java.net, sun, etc could be denied? That way, you can use reflection with all mods but make it more difficult to do harmful things

fringe monolith Nov 3, 2025, 12:17 AM

#

I made a mod that allows reflection again: https://github.com/lonevox/KubeJS-Reflected

GitHub

GitHub - lonevox/KubeJS-Reflected: Returns the ability to use refle...

Returns the ability to use reflection in KubeJS scripts. - lonevox/KubeJS-Reflected

#Why was reflection removed?