I like that idea a lot, but you’d be able to circumvent that easily through reflection in Java though.
That would take pressure off the moderators of course, but as @drtshock said, a developer could easily upload one or two “proper” versions of a plugin and add malicious code later.
2 Likes
But no dev would be considered experienced and trusted without many scanned and reviewed uploads. If the staff could fine tune it enough then it would become so much more efficient.
Waiting a long time for an update sucks. Once I waited a month for one of my updates to be accepted. This system could make it a lot better for devs. It just needs to be fine tuned correctly.
In regards to the Permissions thing for plugin:
We tried this in Spout (or we were planning to). This is very difficult to do, because we’d have to set up a SecurityManager and stuff like that. While it is a good idea, I doubt it’ll happen.
This is my opinion, other devs may have a different opinion.
1 Like
There’d always be a risk that a developer could get outrageously mad at anything or have a bad day and then abuse then. Staff who look through plugins may make the process take a while, but it is worth it. They should look for more people to look over the plugins if it starts to become a lot of work for them. Granted, this won’t be a problem for a little while now.
1 Like
Yes, having random checks could discourage someone from adding malicious code to their plugin.
I second that. Another concern is that a system like that will become a bro-sciety where “trust” is gained by popularity and personal favors.
For me, it’s either a system that handles all files, authors and users the same or no system at all. I wouldn’t care if there isn’t anything better than the forums for hosting of my project “sites”. At least for a while.
1 Like
A question about the review system, some licenses state that reverse engineering of software is not permitted, which would leave the SpongeProject liable for a civil lawsuit. Will this be taken into account when you write the terms of use or build the plugin submission system?
I imagine they could implement a terms and service that require them to reverse engineer any plugins that get added so that they can ensure that they are safe for the community and server admins. I think if there was a policy like that, SpongeProject would be safe. It probably is the same way as Bukkit was, as that would be something that impacted that.
1 Like
I just looked through http://wiki.bukkit.org/BukkitDev:Project_Submission_Guidelines and http://forums.bukkit.org/help/terms and it has nothing relating to it there. I think it should be something here as getting caught up on something as small as that would be annoying.
1 Like
Yeah, I agree. That would suck. @sk89q should add a small note to the submissions policy here about reversing the plugins only for security checks.
Who will build the plugin distribution system, if there will be one?
I really liked the almost guaranteed security full source scanning provided at Bukkit, but it seemed like more trouble than it’s worth to fully scan the jar every time.
I think a better solution would be to have people upload/commit their source to a private repository that only Sponge plugin reviewers could view. Then reviewers will only have to review differentials and trace as far back into the code as needed. If plugins haven’t been fully scanned in x amount of time, they can be flagged for full review on next update so that reviewer errors don’t persist.
CI can build versions from approved source.
Edit: Didn’t read the other thread, I’ll just respond there.
I don’t think a trust system is a good idea. I think where best to place one’s trust is in people who have volunteered to take up the task of reviewing plugins, who are held responsible for their actions.
The trust system sounded good in the beginning, kind of reminded me of eBay. A user has a rating percentage, or stars, blah blah blah. But everyone brings up good counter points.
This is a good idea. Then the staff wouldn’t need to look through the entire file each time. Creating less work for a small amount of people.
An ideal system would would run itself, but I believe the next best thing would be a system with very little work involved.
No.
[16:51:34] <Grum> you just offer fake security if you claim to 'precheck/scan' files
There is however some extensive discussion regarding a trust system going on at HeisenBugDev’s discourse (http://discourse.heisenbugdev.com)
HeisenBugDev is a developer oriented mod/plugin hosting site. We’ve got some pretty complex automation going on so it may be better to use it for Sponge’s system rather than making a new one (we’ve got about 6 months development so far). PRs are welcome.
Then maybe a system similar to Google Play Store can be implemented?
Meaby and idk if thats a good idea. We could automatically scan plugins based on.
- Does it interact with the internet /opens ports
- Does it has player.setop(true)/player.grantpermission("*")
- Does it access folders from outside his plugin folder
These plugins would be flagged and than its up for the spongedev staff to ban that user (or not when used legitly).
Also:
- Any use of Reflection
- Accessing classloaders
- Loading extra stuff onto the classpath
- Intercepting admin commands (swap out the target of /op, for example)
- Splitting a payload across multiple plugins, so that any one appears harmless in isolation
- Use of existing Java APIs that intentionally can execute arbitrary code
- Use of existing Java APIs that unintentionally can execute arbitrary code
- Use of existing Java APIs that unintentionally can execute arbitrary code due to a change in the latest JVM update, but was safe previously
- Use of existing Java APIs that unintentionally can execute arbitrary code in older JVMs that are still in use, though has been patched in a more recent JVM version
There are plenty of ways to obscure a string (or have it passed in through an external channel), then use that string as a method name to call, a class to load, or just about anything else, while leaving no sign that an automated system could identify. It would be hard enough for a highly intelligent and experienced human to identify everything, much less an automated system.
2 Likes
There are programs that can plugin to Eclipse and similar Java development tools that can automatically scan for malicious code and be fine tuned to find more. My solution if it’s viable would be to have a team of humans using these programs. If they get false positives, they can disregard them, but they can scan through files easier with the assistance of said program.