minetest_modding_book/_en/quality/security.md

111 lines
3.5 KiB
Markdown
Raw Normal View History

2018-09-12 18:12:57 +03:00
---
title: Security
layout: default
root: ../..
2018-10-19 16:29:07 +03:00
idx: 7.3
2018-09-12 18:12:57 +03:00
---
## Introduction
Security is very important in making sure that your mod doesn't cause the server
owner to lose data or control.
* [Core Concepts](#core-concepts)
* [Formspecs](#formspecs)
* [Never Trust Submissions](#never-trust-submissions)
* [Time of Check isn't Time of Use](#time_of_check_isnt_time_of_use)
* [(Insecure) Environments](#insecure-environments)
## Core Concepts
The most important concept in security is to **never trust the user**.
Anything the user submits should be treated as malicious.
2018-10-27 05:10:37 +03:00
This means that you should always check that the information they
enter is valid, that the user has the correct permissions,
and that they are otherwise allowed to do that action
(ie: in range or an owner).
2018-09-12 18:12:57 +03:00
A malicious action isn't necessarily the modification or destruction of data,
2018-10-27 05:10:37 +03:00
but can be accessing sensitive data, such as password hashes or
2018-09-12 18:12:57 +03:00
private messages.
This is especially bad if the server stores information such as emails or ages,
which some may do for verification purposes.
## Formspecs
### Never Trust Submissions
Any users can submit almost any formspec with any values at any time.
Here's some real code found in a mod:
```lua
2018-09-24 19:16:00 +03:00
minetest.register_on_player_receive_fields(function(player,
formname, fields)
2018-09-12 18:12:57 +03:00
for key, field in pairs(fields) do
2018-09-24 19:16:00 +03:00
local x,y,z = string.match(key,
"goto_([%d-]+)_([%d-]+)_([%d-]+)")
2018-09-12 18:12:57 +03:00
if x and y and z then
2018-09-24 19:16:00 +03:00
player:set_pos({ x=tonumber(x), y=tonumber(y),
z=tonumber(z) })
2018-09-12 18:12:57 +03:00
return true
end
end
end
```
2018-09-12 18:12:57 +03:00
2018-10-20 04:33:33 +03:00
Can you spot the problem? A malicious user could submit a formspec containing
2018-09-12 18:12:57 +03:00
their own position values, allowing them to teleport to anywhere they wish to.
This could even be automated using client modifications to essentially replicate
the `/teleport` command with no need for a privilege.
The solution for this kind of issue is to use a
2018-10-27 05:10:37 +03:00
[Context](../players/formspecs.html#contexts), as shown previously in
the Formspecs chapter.
2018-09-12 18:12:57 +03:00
### Time of Check isn't Time of Use
Any users can submit any formspec with any values at any time, except where the
engine forbids it:
* A node formspec submission will be blocked if the user is too far away.
* From 5.0 onward, named formspecs will be blocked if they haven't been shown yet.
This means that you should check in the handler that the user meets the
2018-10-27 05:10:37 +03:00
conditions for showing the formspec in the first place, as well as any
corresponding actions.
2018-09-12 18:12:57 +03:00
The vulnerability caused by checking for permissions in the show formspec but not
in the handle formspec is called Time Of Check is not Time Of Use (TOCTOU).
## (Insecure) Environments
Minetest allows mods to request an unsandboxed environment, giving them access
to the full Lua API.
Can you spot the vulnerability in the following?
```lua
2018-09-12 18:12:57 +03:00
local ie = minetest.request_insecure_environment()
ie.os.execute(("path/to/prog %d"):format(3))
```
2018-09-12 18:12:57 +03:00
`String.format` is a function in the global shared table `String`.
A malicious mod could override this function and pass stuff to os.execute:
```lua
2018-09-12 18:12:57 +03:00
String.format = function()
return "xdg-open 'http://example.com'"
end
```
2018-09-12 18:12:57 +03:00
2018-10-27 05:10:37 +03:00
The mod could pass something much more malicious than opening a website, such
2018-09-12 18:12:57 +03:00
as giving a remote user control over the machine.
Some rules for using an insecure environment:
* Always store it in a local and never pass it into a function.
* Make sure you can trust any input given to an insecure function, to avoid the
issue above. This means avoiding globally redefinable functions.