Comments (9)
To clarify:
the issue with arbitrary load() is that you can swap the code from under the user
you could release a mod loading a remote .JS
which is fine for the first month
then once you have a decent amount of downloads swap it to something "fun" (or a hypothetical attacker could)
(Also, file:// works, which opens its own can of worms.)
EDIT: Again: this can all be done with a regular mod. But coremods are supposed to only allow ASM-related operations, so I consider this a bug at the very least.
from coremods.
To re-iterate, because of all the FUD and people not understanding what words mean:
THIS DOESN'T LET YOU DO ANYTHING MORE THAN A NORMAL MOD WOULDN'T ANYWAY.
The principial reason I consider this a bug is because the coremod API promises to be sandboxed, and this - in my opinion, at least - breaks the conceptual limitations of said sandbox. Additionally, it's a bit more sneaky (especially with JS obfuscation) than downloading Java code off the Internet using "normal mod code".
from coremods.
Yup, load should be removed. I will fix that the next couple of days. But also, yes, mods have always been able to download stuff from the internet. Generally, those that do get discovered, and identified quickly. Disabling all connectivity from mods would be complicated and isn't something we're going to do.
from coremods.
(While at it, quit() should be removed or replaced as well - right now it just quits the runtime)
I'd rather have forge catch that and log an error / show an error message onscreen instead of just removing quit
.
from coremods.
An easy way to test this is with the following in a coremod.js file
load("https://gist.githubusercontent.com/modmuss50/66db108d07d53fd371b3b3f2326d3d76/raw/396510d7b290efea9e5643917e01fa4f848a97ab/example.js")
check the log for the following:
[19:26:32.198] [main/DEBUG] [CoreMod/]: Loading CoreMod from C:\Users\mark\Documents\Games\Minecraft\1.13.2\TechReborn\build\resources\main\coremod2.js
hello internet
[19:26:32.593] [main/ERROR] [CoreMod/]: Error occurred initializing CoreMod
java.lang.NoSuchMethodException: No such function initializeCoreMod
at jdk.nashorn.api.scripting.ScriptObjectMirror.callMember(ScriptObjectMirror.java:204) ~[nashorn.jar:?]
at jdk.nashorn.api.scripting.NashornScriptEngine.invokeImpl(NashornScriptEngine.java:386) ~[nashorn.jar:?]
at jdk.nashorn.api.scripting.NashornScriptEngine.invokeFunction(NashornScriptEngine.java:190) ~[nashorn.jar:?]
at net.minecraftforge.coremod.CoreMod.initialize(CoreMod.java:32) ~[coremods-0.4.0.jar:0.4.0+17+382fa40]
at net.minecraftforge.coremod.CoreModEngine.initialize(CoreModEngine.java:59) ~[coremods-0.4.0.jar:0.4.0+17+382fa40]
at java.util.ArrayList.forEach(ArrayList.java:1257) ~[?:1.8.0_181]
at net.minecraftforge.coremod.CoreModEngine.initializeCoreMods(CoreModEngine.java:53) ~[coremods-0.4.0.jar:0.4.0+17+382fa40]
at net.minecraftforge.coremod.CoreModProvider.getCoreModTransformers(CoreModProvider.java:17) ~[coremods-0.4.0.jar:0.4.0+17+382fa40]
at net.minecraftforge.fml.loading.FMLServiceProvider.transformers(FMLServiceProvider.java:126) ~[forge-1.13.2-25.0.70_mapped_snapshot_20190222-1.13.1-launcher.jar:25.0]
at cpw.mods.modlauncher.TransformationServiceDecorator.gatherTransformers(TransformationServiceDecorator.java:49) ~[modlauncher-0.12.0.jar:?]
at cpw.mods.modlauncher.TransformationServicesHandler.lambda$initialiseServiceTransformers$5(TransformationServicesHandler.java:62) ~[modlauncher-0.12.0.jar:?]
at java.util.HashMap$Values.forEach(HashMap.java:981) [?:1.8.0_181]
at cpw.mods.modlauncher.TransformationServicesHandler.initialiseServiceTransformers(TransformationServicesHandler.java:62) [modlauncher-0.12.0.jar:?]
at cpw.mods.modlauncher.TransformationServicesHandler.initializeTransformationServices(TransformationServicesHandler.java:34) [modlauncher-0.12.0.jar:?]
at cpw.mods.modlauncher.Launcher.run(Launcher.java:51) [modlauncher-0.12.0.jar:?]
at cpw.mods.modlauncher.Launcher.main(Launcher.java:42) [modlauncher-0.12.0.jar:?]
at net.minecraftforge.userdev.UserdevLauncher.main(UserdevLauncher.java:81) [forge-1.13.2-25.0.70_mapped_snapshot_20190222-1.13.1-recomp.jar:?]
You can see it fails to find the initializeCoreMod
method, but above that it runs the js file from online. The game continues to start after this.
from coremods.
This is another deadly example of CVE-200103891 — "Code execution results in code execution"
This vulnerability must be immediately patched!
More seriously — mods aren't sandboxed at all, and the very existence of the coremod system/bytecode patching, unrestricted reflection, and Minecraft having no care taken toward it as far as security goes makes anything even adjacent to this a completely moot point. Mods can already download a URL and execute it, directly or indirectly. Coremods being able to do it should surprise no-one. (I've been out-of-the-loop for a bit but I doubt Forge has grown an entire sandbox in the ~month I've been gone.)
Better issue: "load() API left enabled, and its only use is making code less readable; should be removed". URL and URLConnection work. You can "exploit" this "vulnerability" with an if
. File works as well.
from coremods.
I personally think the ability to load remote scripts is fine. It's only as problematic as general mods utilizing remote code/scripts/data at runtime to determine how they behave. And a benefit to network loading here would be the ability to push immediate hotfixes for bugs in your asm to clients and servers, which I feel could be quite useful.
from coremods.
Its not the end of the world, mods have been able to do this since the start of time. However the js coremod system was supposed to be more "locked down". This makes it a lot easier for people to make online coremods, in the past it would require a fair amount of work.
Due to how easy it is to prevent this I think it should be removed, but its nothing to worry about. At the end of the day you should trust what code you are downloading from the internet.
from coremods.
I think the issue still is allowing to execute remote JavaScript code; even if mods can do it normally, at least it takes a minimum of effort, and doesn't happen in a stage deliberately designed to be sandboxed off. Auto-updates should never happen to something as touchy as coremods.
Perhaps I have not communicated it correctly (I thought it's obvious you can still do this with regular old mods), but then if I hadn't tried people would have ragged on me for not reporting a potential security issue... whatever...
from coremods.
Related Issues (20)
- There is no way to remap names
- No way to see the final result of a transform HOT 2
- No way to tell if the coremod is in a developer environment HOT 1
- Cannot instantiate InsnList
- Update ASM to 7
- Include an up to date version of Nashorn HOT 1
- CCE when applying transformers HOT 2
- Printing instruction list for debugging/troubleshooting HOT 12
- Allow remapping class names HOT 3
- Some ASM methods are not usable without access to some Java types HOT 2
- Nashorn has been removed for Java 15 HOT 13
- No way to check type of LDC?
- ASMAPI.getSystemPropertyFlag using wrong Boolean conversion HOT 2
- ASMAPI#findFirstInstructionBefore ignores startIndex parameter
- Potential security problem(s) HOT 2
- ClassNode is not on the allowed class list
- Error about fluid flowing block during load on server HOT 4
- Would like a way to create LDC with a float value
- Nashorn exposes java, javax, javafx, com, edu, org packages for scripts by default HOT 7
- loadWithNewGlobal and exit functions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coremods.