Plugin security

Caylus

Hey all,

A while back I found my first XSS vulnerability in a plugin (I was so proud of my L33t H4ck0r skillz!), and after notifying the creator it was fixed immidiately.

However, that got me thinking: There's not a good way yet to keep up to date on security with the plugins you have. Of course, people point out security flaws on the forum, but it's easily missable if you don't read every thread.

Therefore, I was wondering if it would be possible to have a page like something like this implemented on this site: https://vanillaforums.org/addons/version?plugins=ButtonBar,Debugger,VanillaStats&VanillaVersion=2.2.1 that returns this JSON (for example):

{
"plugins":{
        "ButtonBar":"1.1.0",
        "Debugger":"1.0.1",
        "VanillaStats":"2.0.1"
        }
}

It'd be easy to write a plugin then (either by me or the Vanilla Core Team if it's important enough that it's done exactly right) that just checks your active plugins once a week for updates, and notifies you if there are more recent versions.

It can also give information on what forum versions people are using with what plugins.

Is this something you guys can look into if you want to consider implementing such a feature in the future?

R_J

The addons application is open source and you can see its code on GitHub: https://github.com/vanilla/community/tree/master/applications/addons

And because it is on GitHub, you can implement that feature and make a pull request. I think this is a great proposal.

But you can get such an information for one single plugin by calling it like that https://vanillaforums.org/addon/pluginname-plugin.json

Caylus

Nice R_J! Wasn't aware that the code was simply available. Nifty.

Created a pull request with this function:

public function version($IDstring='')
    {
        $IDs=explode(",",$IDstring);
        $json=new stdClass();
        $json->plugins=new stdClass();
        foreach($IDs as $pluginName)
        {
            $Addon = $this->AddonModel->getID([$pluginName,1]);
            if (is_array($Addon)) {
                $json->plugins->$pluginName=$Addon['Version'];                
            }
            else{
                $json->plugins->$pluginName=false;     
            }
        }
        echo json_encode($json);
}

That should do the trick, methinks.

rbrahmson

Admittedly I am new to this but I wonder if there is an existing function that would either:
(1) Validate that user input does not contain XSS (still requires that plugin developers use this function)
(3) Vanilla form validation that prevent entering XSS
(2) Database intercept function that removes such xss before writing anything to the database

I may make no sense, so forgive my wondering aloud...

River

@Caylus said:
Hey all,

A while back I found my first XSS vulnerability in a plugin (I was so proud of my L33t H4ck0r skillz!), and after notifying the creator it was fixed immidiately.

However, that got me thinking: There's not a good way yet to keep up to date on security with the plugins you have. Of course, people point out security flaws on the forum, but it's easily missable if you don't read every thread.

Therefore, I was wondering if it would be possible to have a page like something like this implemented on this site: https://vanillaforums.org/addons/version?plugins=ButtonBar,Debugger,VanillaStats&VanillaVersion=2.2.1 that returns this JSON (for example):

{
"plugins":{
        "ButtonBar":"1.1.0",
        "Debugger":"1.0.1",
        "VanillaStats":"2.0.1"
        }
}

It'd be easy to write a plugin then (either by me or the Vanilla Core Team if it's important enough that it's done exactly right) that just checks your active plugins once a week for updates, and notifies you if there are more recent versions.

It can also give information on what forum versions people are using with what plugins.

Is this something you guys can look into if you want to consider implementing such a feature in the future?

I think it sounds like a good idea. But, there are a few weaknesses, unless I am looking at something different than what you see. Same as with this version checker plugin
https://vanillaforums.org/addon/versioncheck-plugin that does a json check on enabled plugins that a users has and compares against the addons section. So the plugin works fine checking against plugins that are in the add-ons section, but if you retrieved the plugin from github or some other source it would not make check obviously.

weaknesses

• the addons section is not always up to date. frequently security fixes, bugs are corrected on github, but the add-on section is not updated.
• the github updates don't always have a version number update - especially with core plugins.
• core plugins are not in the add-ons section.
• staff and non-staff plugins are not in the add-ons and are different versions than the version on github and may or may not have bug fixes.

so a json comparison from add-ons for core plugins would not work for core plugins. e.g. security fix in tagging plugin would not be found since there is no placeholder in the add-ons section.

none of these would be compared

https://github.com/vanilla/vanilla/tree/master/plugins
or
https://github.com/vanilla/addons/tree/master/plugins

Linc

I would love to see a central update-checking system in place. The first priority is to do it for core, then the addon system.

The biggest consideration is security. Not only does it need to be incredibly robust for the number of requests we'll be getting, but it also needs to be incredibly difficult to compromise in every way. You'd need to consider the myriad ways a system like that could be compromised as you go and make sure there's an extra layer of hurdles set up against each of them.

Linc

I also agree that a critical piece of this is automating (to some extent) how plugins are updated in the directory from our repos. If the newest version isn't on this site, then the checker can't be effective.

Caylus

Thanks for explaining guys! I should've known this was already something you were working on :P