Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2B36410E70 for ; Tue, 10 Feb 2015 19:20:47 +0000 (UTC) Received: (qmail 86843 invoked by uid 500); 10 Feb 2015 19:20:46 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 86811 invoked by uid 500); 10 Feb 2015 19:20:46 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 86793 invoked by uid 99); 10 Feb 2015 19:20:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Feb 2015 19:20:46 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mmocny@google.com designates 209.85.220.175 as permitted sender) Received: from [209.85.220.175] (HELO mail-vc0-f175.google.com) (209.85.220.175) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Feb 2015 19:20:42 +0000 Received: by mail-vc0-f175.google.com with SMTP id hq12so5451176vcb.6 for ; Tue, 10 Feb 2015 11:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=P2iqKTT7OUVystE3vnfQTuFEisVwMGaR7iaIHdAZM2U=; b=lsEW9qmWTL5dOWGFJddrCRX1FYdh4XSQ/1HcU6NnrfT5G4FMECOK2er6ospZD/SJuK xJms7iqmmP8ptaUrXAKCq1grz1CJ2SyGP0+sAucdYSnmcJY+C/WdbYYyRhbAzyWqi5lm 0ncpVq8LPN6mmfAg7Gbzv9ADj6TQEik+wonJ2a42HS2o0ECUtr8/P2yM7vw4je0aPYOL skB6IAw9Fma7hTsSkaS7VCHcrFm3ARxrycWO3hf32dlPQiOOm7WnJn/1nP7Kynlax2np BRV98aLI2N9D4MLugSp542iHRwgcvYli5UV5RrrCfST4RvGA8hyfauODEYytQVS58jJh Xv1Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=P2iqKTT7OUVystE3vnfQTuFEisVwMGaR7iaIHdAZM2U=; b=V8FBglpaHULO1ChB65n63MRWJ81Oqhq5gh5ZRtP47sUZ/J4Qv6WBnjr7qA3Mgwc6Cd I1k2tUBidP2cH6F/IhA8+Fi28JQHG6tyZxvHIgnR45nQvNMwDmiC66y48E0XkfzD161K WTM46g929sI79RoSYVofTvztxoh4cVij8CF/I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=P2iqKTT7OUVystE3vnfQTuFEisVwMGaR7iaIHdAZM2U=; b=fEDmPDc1r9hcQkR4Og2LoB5l15FIfXTXHyT1/QRZ5Z241fnz6XeW8atFGcnmDG08Cl ToJv59VcOYsl1x0DCI4OUarvYNLNIdiBWluQ2gwhCO1J779UAAu4dk4gMeEfiNBkZDgN Fy8cuJulFwKV8tULyL3UYl48WkDtCeALgZh5l88L/7xcKhZgqYZjihD8gtp1BhTDffY4 6llwR6vAFtMackoqovWsGpYa2xBx3X7YDq+QrO9hAc8IaEssclKuktUL56J8wQCuHIE2 GMkjiaUb3obqvYh22AoG9lp3S7n2HsHWMGZNqAYH8dZNC3YRnLLzbJumLRua46+Le6HV tLQw== X-Gm-Message-State: ALoCoQn3wFOxMyq9jNGEc8ByaCnUocPAakOXK2YzU5V9t2jiuaPBGUhqmM8cNUxlSBzTr9Rk2SfK X-Received: by 10.220.84.8 with SMTP id h8mr15903467vcl.66.1423595976713; Tue, 10 Feb 2015 11:19:36 -0800 (PST) MIME-Version: 1.0 Sender: mmocny@google.com Received: by 10.52.227.138 with HTTP; Tue, 10 Feb 2015 11:19:16 -0800 (PST) In-Reply-To: References: From: Michal Mocny Date: Tue, 10 Feb 2015 14:19:16 -0500 X-Google-Sender-Auth: pwl2kwfmPycQQ65N8dIAQSgGtuk Message-ID: Subject: Re: Plugin Install Hooks To: dev Content-Type: multipart/alternative; boundary=047d7b471f067f03b9050ec0c4cc X-Virus-Checked: Checked by ClamAV on apache.org --047d7b471f067f03b9050ec0c4cc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I meant that the developer is shipping a plugin to the store which end users will run. If the contacts plugin is malicious, it wouldn't be running hooks on the devs machine, it would be uploading users' contacts to some website. You as a developer should vet the plugin to make sure it isn't. At the end of the day, in practice, it just comes down to trust. Download plugins from trusted sources. When there is no trust, you have to sandbox and audit. On Tue, Feb 10, 2015 at 12:22 PM, Horn, Julian C wrote: > Actually I see it the other way around. If you want to trust a plugin, > you can make that decision; it's your machine. The build server doesn=E2= =80=99t > trust the plugins you trust. > > -----Original Message----- > From: mmocny@google.com [mailto:mmocny@google.com] On Behalf Of Michal > Mocny > Sent: Tuesday, February 10, 2015 11:27 AM > To: Michal Mocny > Cc: dev > Subject: Re: Plugin Install Hooks > > ..Not to mention, these plugins will be running on end users' personal > devices. That sounds vastly more concerning than running hooks on a serv= er > you control and can sandbox. > > On Tue, Feb 10, 2015 at 11:25 AM, Michal Mocny > wrote: > > > So, I think this is not different than downloading and running > > packages from any package manager. > > > > That said, I think a --suppress-hooks flag would be fine. I suggest > > you file a JIRA so others can chime in, and if you want it to land > > soon I would take a stab at a PR. > > > > -Michal > > > > On Tue, Feb 10, 2015 at 10:02 AM, Horn, Julian C > > > > wrote: > > > >> Thanks for the pointer Shazron. I read through all of this > >> interesting discussion. I agree that sandboxing is hard and prompting > is problematic. > >> But there's still an issue here. > >> > >> If there is no mechanism to exclude scripting in untrusted plugins > >> then build servers are unlikely to accept any uncurated plugin, which > >> is what PGBuild is doing. The Intel XDK provides a build server. We > >> would like to support arbitrary third party plugins, not just ones we > >> have curated. This install-time hooks feature creates a major > >> security issue for us. Under no circumstances are we going to allow > >> untrusted native code to run on our build server. > >> > >> And thanks to Sergey for pointing out that issue with pre_package hook= s! > >> We were under the impression that project-level hooks could be > >> suppressed by excluding the hooks directory. I see now that this isn't > sufficient. > >> > >> I have a very simple suggestion: add a "--suppress-hooks" flag. This > >> doesn't prompt: it assumes the answer to the prompt is "no". > >> > >> I don't have enough experience with install hooks to know if the > >> plugin is likely to be usable without running the install-time hook. > >> I expect that if you add a plugin that contains an install time hook > >> and --suppress-hooks is present, then the plugin add should fail. If > >> there's some reason to believe that a plugin could be usable without > >> running the install time hook, then maybe it would be interesting to > >> have a variant of --suppress-hooks that bypasses the hook but allows > >> the plugin to be installed anyway. > >> > >> I would also expect that --suppress-hooks would suppress pre_package > >> time hooks too. > >> > >> Julian > >> > >> -----Original Message----- > >> From: Shazron [mailto:shazron@gmail.com] > >> Sent: Monday, February 09, 2015 4:21 PM > >> To: dev@cordova.apache.org > >> Subject: Re: Plugin Install Hooks > >> > >> We did discuss this, and we rejected: > >> 1. Having a prompt > >> 2. Sandboxing > >> > >> Check out the discussion, for reasons: > >> http://markmail.org/message/alknczhqdghaurrw > >> > >> On Mon, Feb 9, 2015 at 8:28 AM, Horn, Julian C > >> > >> wrote: > >> > We have identified a security issue with the recently added feature > >> > of > >> install-time plugin hooks. > >> > > >> > As far as I can tell, there is nothing that prevents creation of a > >> plugin with a malicious install-time hook script. Adding that plugin > >> to a project could corrupt the user's host machine. If that project > >> using that plugin is submitted to a build server, then the build > >> server could be corrupted. > >> > > >> > Yes, you can use lower level plugman scripts to fetch plugins and > >> > then > >> pre-scan them for install time hooks and track down all the > >> dependencies and scan them too. So this is fixable (on a build > >> server), but it's a lot of extra work; "cordova plugin add" should not > be an unsafe operation. > >> > > >> > I propose that the CLI should check to see if a plugin requires an > >> install-time hook and require the user to explicitly grant permission > >> before executing the install hook. A build server would always deny > >> permission. > >> > > >> > Is there something I'm missing here? > >> > > >> > Julian > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org > >> For additional commands, e-mail: dev-help@cordova.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org > For additional commands, e-mail: dev-help@cordova.apache.org > --047d7b471f067f03b9050ec0c4cc--