When I get custom plugins made, who can I get to check them for me?

Discussion in 'Spigot Discussion' started by YepImRobbie, Jun 16, 2015.

  1. Is there an authoritative spigot staff member that could check plugins to see if there wasn't any bugged/malicious code and verify its safe for use? Even for payment, I don't know. :p
     
  2. Maximvdw is currently working on a system that checks for malicious code
     
  3. Just look for a dev you could trust
     
    • Agree Agree x 1
  4. Ask for the source code, look for any instance of code where it checks there name/uuid and where it issues commands.
     
  5. if I did not understand in code? what can i do?
    It's very interesting question, need look for a dev you could trust, because it's the only way.
     
  6. If you'd like I'd happily look for any backdoor code and walk you though it over skype
     
  7. As someone that worked at BukkitDev for years and helped come up with ideas to help proactively catch malicious code yet we still just reviewed everything manually, good frickin luck.
     
  8. His system does catches the blatant setOp though, and it already cought 2 plugins afaik (@Maximvdw)
     
  9. Maximvdw

    Benefactor

    9* , and 3 that are semi-malicious (silent joins for authors etc,..) <- haven't reported those
    Its true it won't detect them all, it never will. Even human checking is not bullet proof, but every bits help
     
    • Agree Agree x 1
  10. I expected I would get this response.

    Trust isn't enough for me, sure - I certainly wouldn't care for verification if md_5 developed for me, but I've had too many past experiences to just let trust be the overall factor.
     
  11. Maximvdw

    Benefactor

    well depending on how large it is I could check it for free (manually) :p
     
    • Friendly Friendly x 1
  12. I love you kind sir. :p
     
  13. If the developer allows to take a look into the code, use a Java decompiler and look through the classes and the code in general and you don't need any good knowledge in Java to understand malicious codes. Just look for the words like OP etc..
     
  14. That also leads me onto another question, apart from force-op what is the absolute worst someone could do with a plugin, that might be quite broad?
     
  15. Another possibility is, they might get access to your root files. And yes, it is possible to do this if you're running your server as root.
     
  16. If you still want help, i can look over it
     
  17. Ok, even better reason to get it reviewed, jesus christ.
     
  18. new File(".").delete();
    (of the top of my head, no hate pls)
    Oh shit, thats all your server files gone
     
  19. Well, as a developer I can check plugins I use myself and I always wonder how much server owner/administrators trust all these developers...
    I myself wouldn't trust a software checking plugins, there're too many creative people, inventing new ideas to harm you. However I'd still appreciate such a software as it's still better than nothing (except if it has many false positives...).

    Depending on the plugin's size, there are probably many devs (look in the hiring/offering developers section) that will check your plugin for vouches, a little money.
    Staff members already dedicate so much time to spigot, I can't image they'd do sth like this for free...

    You can also test the plugin locally in a vm and see what internet connection it opens, what files it deletes etc.
    Also, your mc server process (java) should always run on a user with hardy permisson, so a malicious plugin could only destroy your server (which you should back up), but not the entire system.
     
    • Agree Agree x 1
  20. I check quite a few plugins for people all the time. Feel free to just add me on skype (can be found on my profile here). I can do them for free whenever I have time as long as it doesn't become like a really huge time commitment.

    Though on the topic, you should just hire trustworthy people, keep offsite backups, not run servers on root, and use a contract that says malicious / DRM code can't be added.
     
    • Friendly Friendly x 1