Curse hosted the files. You should read their ToS 
Fandom
Who will build the plugin distribution system, if there will be one?
I really liked the almost guaranteed security full source scanning provided at Bukkit, but it seemed like more trouble than it’s worth to fully scan the jar every time.
I think a better solution would be to have people upload/commit their source to a private repository that only Sponge plugin reviewers could view. Then reviewers will only have to review differentials and trace as far back into the code as needed. If plugins haven’t been fully scanned in x amount of time, they can be flagged for full review on next update so that reviewer errors don’t persist.
CI can build versions from approved source.
Edit: Didn’t read the other thread, I’ll just respond there.
I don’t think a trust system is a good idea. I think where best to place one’s trust is in people who have volunteered to take up the task of reviewing plugins, who are held responsible for their actions.
The trust system sounded good in the beginning, kind of reminded me of eBay. A user has a rating percentage, or stars, blah blah blah. But everyone brings up good counter points.
This is a good idea. Then the staff wouldn’t need to look through the entire file each time. Creating less work for a small amount of people.
An ideal system would would run itself, but I believe the next best thing would be a system with very little work involved.
No.
[16:51:34] <Grum> you just offer fake security if you claim to 'precheck/scan' files
There is however some extensive discussion regarding a trust system going on at HeisenBugDev’s discourse (http://discourse.heisenbugdev.com)
HeisenBugDev is a developer oriented mod/plugin hosting site. We’ve got some pretty complex automation going on so it may be better to use it for Sponge’s system rather than making a new one (we’ve got about 6 months development so far). PRs are welcome.
Then maybe a system similar to Google Play Store can be implemented?
Meaby and idk if thats a good idea. We could automatically scan plugins based on.
- Does it interact with the internet /opens ports
- Does it has player.setop(true)/player.grantpermission("*")
- Does it access folders from outside his plugin folder
These plugins would be flagged and than its up for the spongedev staff to ban that user (or not when used legitly).
Also:
- Any use of Reflection
- Accessing classloaders
- Loading extra stuff onto the classpath
- Intercepting admin commands (swap out the target of /op, for example)
- Splitting a payload across multiple plugins, so that any one appears harmless in isolation
- Use of existing Java APIs that intentionally can execute arbitrary code
- Use of existing Java APIs that unintentionally can execute arbitrary code
- Use of existing Java APIs that unintentionally can execute arbitrary code due to a change in the latest JVM update, but was safe previously
- Use of existing Java APIs that unintentionally can execute arbitrary code in older JVMs that are still in use, though has been patched in a more recent JVM version
There are plenty of ways to obscure a string (or have it passed in through an external channel), then use that string as a method name to call, a class to load, or just about anything else, while leaving no sign that an automated system could identify. It would be hard enough for a highly intelligent and experienced human to identify everything, much less an automated system.
2 Likes
There are programs that can plugin to Eclipse and similar Java development tools that can automatically scan for malicious code and be fine tuned to find more. My solution if it’s viable would be to have a team of humans using these programs. If they get false positives, they can disregard them, but they can scan through files easier with the assistance of said program.