Ore icon indicating copy to clipboard operation
Ore copied to clipboard

Published 20 hours ago verified publisher icon SpongePowered

Ability to warn plugin users of vulnerabilities

Open codeHusky opened this issue 6 years ago • 7 comments

As a developer, I'd prefer to be able to, on an opt-out basis, let all my users know if there is currently a critical exploit or bug in HuskyCrates, which would allow them to act appropriately to resolve the situation. If this system was through ore's update checking part of the api, it would be even better.

This all could get lumped into an "upcoming" version, which could contain other bits and pieces of data in the future within the api if it seemed necessary.

codeHusky avatar Feb 28 '18 02:02 codeHusky

Proposing #462 as a potential solution.

mbax avatar Feb 28 '18 05:02 mbax

462 doesn't solve the issue of warning the second a bug is reported that's rather critical to server owners to know. A developer should be able to communicate that there's a serious issue with the plugin, what it is and how to address it for the time being.

codeHusky avatar Feb 28 '18 05:02 codeHusky

If your plugin checks hourly, that's surely sufficient to in promptness?

mbax avatar Mar 01 '18 00:03 mbax

If a developer wants to tell users there is an update, they can do that on their own. I think that's outside the scope of Ore except for the API we provide.

phase avatar Mar 01 '18 08:03 phase

Update checking is to be done only via Ore, thus my question above :)

mbax avatar Mar 02 '18 03:03 mbax

@mbax This isn't purely update checking is my point.

An issue can be reported, but it can take a day or two to actually get fixed. Notifying servers immediately on discovery of an exploit so they can monitor for it is rather important, and I'd like to be able to do that.

codeHusky avatar Mar 02 '18 03:03 codeHusky

So, you want to alert everyone that there's an exploit they can take advantage of? I don't feel it's necessary for the Ore API or the Ore guidelines to help you in that quest. :P

More seriously, the following is a strong proposal that allows for prompt notification without carrying additional risk:

  1. Ore allows tagging files with type of update (Can choose between 0 and all tags)
    • Bug fix
    • Feature update
    • Security patch
  2. Ore API contains this information.
  3. Sponge review team, if contacted by a dev about a security emergency, immediately reviews (out of normal order) file fixing security problem.
  4. Ore plugin, checking regularly the status of files, can notice that between the server's version of the plugin and the latest approved file there exists a security patch.
    • Ore plugin then can alert the user with this important information, and can encourage updating ASAP.

This proposal provides fast notification while avoiding the following:

  • Plugin developer sends custom notice "Security patch available get it here" linking to unapproved file or off-site file.
  • Information about security hole comes out before file is approved.

This also has added benefit of, with just using a few easily translatable terms, supporting users with limited English language skills (both devs distributing the fact they have a security patch and users reading they have a security patch available). :+1:

mbax avatar Mar 02 '18 03:03 mbax