Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reduce chances of PHP plugins being malicious

I was wondering what steps you use to keep downloaded plugins from being malicious?

For example, what does wordpress do to ensure that the plugins you download do not simply execute unlink('/')

I'm assuming it partly depends partly on downloader to install plugins to use his or her own discretion, but do plugin systems take measures to minimize the security risk of running 3rd party plugins?

Thanks! Matt Mueller

like image 678
Matt Avatar asked Jan 21 '23 19:01

Matt


2 Answers

Simple answer: you can't do this programmatically. Simply can't be done. Certainly Wordpress has a validator of some sort to determine whether the plugin is outright nasty, but there's no way to say for certain that it is safe.

I'm an intern at Mozilla this summer and I'm working on the validator that scans add-ons as they're submitted to addons.mozilla.org. I can only imagine that Wordpress has a very similar tool on their end. The idea is that the app outright rejects blatantly malicious code (eval("evil nasty code");), while the rest of it is analyzed with some simple heuristics. The algorithms in place mark down some potential red flags based on what it sees in the add-on package and submits those notes to the editors, who then review the code. It effectively ends up being a human-powered process, but the software helps to take care of a lot of the heavy lifting.

Some techniques that the Mozilla validator uses:

  • Syntax checking
  • Code and markup parsing (HTML/CSS) to find remote code vulnerabilities
  • Javascript parsing and analysis (parse the JS to an AST tree and analyze each statement, evaluating static expressions as deeply as possible)
  • Compatibility/deprecation testing

You can check out the code here:

http://github.com/mattbasta/amo-validator

Hope this helps!

like image 147
mattbasta Avatar answered Jan 30 '23 02:01

mattbasta


unlink('/') wont do any harm since it only deletes files, you would have to use rmdir or more precisely a recursive rmdir implementation. I don't think there is any way to prevent malicious code from being executed because there are many ways of being malicious. You can restrict certain functions from being called in php.ini but that will only help you to a certain point. For instance, str_repeat and unserialize are common functions but if called with the right arguments they can exaust all the memory allocated to your PHP scripts in no time. But this is only an example, a more nefarious one could act as a backdoor or email all the logins to the developer. I guess in the end you'll have to trust the developer and the community if you don't want to audit the code by yourself.

like image 30
Alix Axel Avatar answered Jan 30 '23 01:01

Alix Axel