cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Horn, Julian C" <julian.c.h...@intel.com>
Subject RE: Plugin Install Hooks
Date Tue, 10 Feb 2015 15:02:30 GMT
Thanks for the pointer Shazron.  I read through all of this interesting discussion.  I agree
that sandboxing is hard and prompting is problematic.  But there's still an issue here.

If there is no mechanism to exclude scripting in untrusted plugins then build servers are
unlikely to accept any uncurated plugin, which is what PGBuild is doing.  The Intel XDK provides
a build server.  We would like to support arbitrary third party plugins, not just ones we
have curated.  This install-time hooks feature creates a major security issue for us. Under
no circumstances are we going to allow untrusted native code to run on our build server.

And thanks to Sergey for pointing out that issue with pre_package hooks!  We were under the
impression that project-level hooks could be suppressed by excluding the hooks directory.
I see now that this isn't sufficient.

I have a very simple suggestion: add a "--suppress-hooks" flag.  This doesn't prompt: it assumes
the answer to the prompt is "no".

I don't have enough experience with install hooks to know if the plugin is likely to be usable
without running the install-time hook.  I expect that if you add a plugin that contains an
install time hook and --suppress-hooks is present, then the plugin add should fail.  If there's
some reason to believe that a plugin could be usable without running the install time hook,
then maybe it would be interesting to have a variant of --suppress-hooks that bypasses the
hook but allows the plugin to be installed anyway.

I would also expect that --suppress-hooks would suppress pre_package time hooks too.

    Julian

-----Original Message-----
From: Shazron [mailto:shazron@gmail.com] 
Sent: Monday, February 09, 2015 4:21 PM
To: dev@cordova.apache.org
Subject: Re: Plugin Install Hooks

We did discuss this, and we rejected:
1. Having a prompt
2. Sandboxing

Check out the discussion, for reasons:
http://markmail.org/message/alknczhqdghaurrw

On Mon, Feb 9, 2015 at 8:28 AM, Horn, Julian C <julian.c.horn@intel.com> wrote:
> We have identified a security issue with the recently added feature of install-time plugin
hooks.
>
> As far as I can tell, there is nothing that prevents creation of a plugin with a malicious
install-time hook script.  Adding that plugin to a project could corrupt the user's host machine.
 If that project using that plugin is submitted to a build server, then the build server could
be corrupted.
>
> Yes, you can use lower level plugman scripts to fetch plugins and then pre-scan them
for install time hooks and track down all the dependencies and scan them too.  So this is
fixable (on a build server), but it's a lot of extra work; "cordova plugin add" should not
be an unsafe operation.
>
> I propose that the CLI should check to see if a plugin requires an install-time hook
and require the user to explicitly grant permission before executing the install hook.  A
build server would always deny permission.
>
> Is there something I'm missing here?
>
>     Julian

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org

Mime
View raw message