5E Product Walkthrough Playlist
Page 1 of 2 12 Last
  1. #1

    Security of file URL

    Having just read the latest notes I see that file URLs are again supported.

    [DEV] Well-formed file URLs are supported as long as they point to a location within the FG data folder.

    As the original reporter of the security flaws that allowed arbitrary execution of malicious activities I am again concerned. How do the current changes prevent download of a malicious tool and execution of that tool from the FG data folder. Please just comment on the protections provided by SW (not OS related/Antivirus).

    Thanks,
    Jason

  2. #2
    The user must specifically allow file URLs to be called; just like for any other URL. In addition, we limited to only within the FG data folder; since that is something that the user has control over what they install.

    Regards,
    JPG

  3. #3
    Please reconsider this decision. Most people will accept such prompts especially if it seems safe.

    Jason

  4. #4
    We don't allow inclusion of executables via the Forge, nor allow inclusion of any executables within our store products. So, there is no mechanism to place executable files with the FG data folder space, unless they are placed there specifically by the user, which we have no control over.

    Regards,
    JPG

  5. #5
    ddavison's Avatar
    Join Date
    Sep 2008
    Posts
    6,123
    Blog Entries
    21
    Users requested the ability to use file urls to play sounds from local sources. To protect this, we limit it to locations within the FG Data folder. As Moon Wizard states, there are no EXEs in this location unless the end-user manually places them there. If they do this, then the end user actually wants them there for a specific reason. There is no mechanism for another external user to place executable files onto your system's FG Data Folder and then call it.

    The first time each session that a File URL is requested, the end user will receive a prompt showing them what is being requested and they can approve or deny it for the session.

  6. #6
    All I can say is that SW has been made aware of this issue (ie are on notice). They will have no defence to their negligence if they choose to do nothing. The corporate veil will not protect owners/etc from personal liability in such cases. So you are certainly allowed to do as you please but I know I can create a module that can do a lot of damage and I am making you aware that such a danger exists. To be clear, I am not making any threat. I am simply making you aware that a danger exists and you should do something to negate that risk.

    Jason

  7. #7
    ddavison's Avatar
    Join Date
    Sep 2008
    Posts
    6,123
    Blog Entries
    21
    There is no negligence -- only user choice.

    You raised the security concern of allowing FILE URL access. We removed this feature and restricted URL's to non-file based URLs (which also could have security risks). Other users complained that they would like the option to use FILE URLs despite the risks, so we added them back in with the additional requirement that FILE URLs would only work within the FG data folder and not from anywhere else.

    Each request requires the user to allow such a request for that session for the domain or for FILE URL access and this permission needs to be renewed for each and every session. Running any extension involves risk and you should only ever install and run extensions from sources you trust. The Forge system allows LUA code, but not executables. Bad LUA code could damage FG files and databases for campaigns. Our Forge system has a EULA that states that there is no liability assumed for any software delivered through the Forge. The relevant sections are shown below from the EULA that has to be agreed upon before using anything on the Forge.

    NO OTHER WARRANTIES. SMITEWORKS DOES NOT WARRANT THAT THE SOFTWARE IS ERROR
    FREE. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
    INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
    NONINFRINGEMENT OF THIRD PARTY RIGHTS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES
    OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY MAY LAST, OR THE EXCLUSION OR LIMITATION OF INCIDENTAL OR
    CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU
    SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION.

    NO LIABILITY FOR CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL SMITEWORKS OR ITS
    SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, SPECIAL, INCIDENTAL OR INDIRECT DAMAGES OF ANY KIND
    ARISING OUT OF THE DELIVERY, PERFORMANCE OR USE OF THE SOFTWARE, EVEN IF SMITEWORKS HAS BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL SMITEWORKS' LIABILITY FOR ANY CLAIM, WHETHER IN CONTRACT,
    TORT OR ANY OTHER THEORY OF LIABILITY, EXCEED THE LICENSE FEE PAID BY YOU, IF ANY.

    In addition, Crafters on the Forge, and items, go through a Moderation and approval stage. The Crafter is ultimately responsible and liable for any damage. We recommend that all users get content from the FG Forge and not from other untrusted sources.

    The Crafter section that is relevant is here:
    9) Indemnification.
    Crafter shall defend and indemnify SmiteWorks from and against any claims, suits, loss and damage (including reasonable attorney's fees) incurred by SmiteWorks and arising out of or relating to the distribution or use of the Licensed Products by SmiteWorks or Crafter.

  8. #8
    LOL. Unlike you, I am a lawyer. Not your lawyer but certainly you can do as you please. If you want to hire me to produce a proof of concept I'm sure we could come to some arrangement by email. You have my email.

    Jason
    Last edited by jharp; May 26th, 2022 at 03:19.

  9. #9
    I come at this from a different angle. I'm not a lawyer but I have spent years in IT and project delivery. Security is always a trade-off against accessibility and the line has to be drawn somewhere.

    I get where you're coming from Jason and I thank you for raising the initial issue. I really didn't think about it at the time but it would definitely be possible, under the old way, to write an extension that could mine sensitive data or call executables from elsewhere on the computer that could do a hell of a lot of damage. On the other hand, this new limitation broke a lot of extensions, two of which are absolutely critical for me. One, I could replace (although not easily). The other is so fundamentally game-breaking for me that I genuinely considered whether it was time to move to another platform.

    I'm happy to accept a warning each time I use the system.
    www.accidentaldm.com - The diary of a Newbie DM

  10. #10
    Quote Originally Posted by Rylan Storm View Post
    I come at this from a different angle. I'm not a lawyer but I have spent years in IT and project delivery. Security is always a trade-off against accessibility and the line has to be drawn somewhere.

    I get where you're coming from Jason and I thank you for raising the initial issue. I really didn't think about it at the time but it would definitely be possible, under the old way, to write an extension that could mine sensitive data or call executables from elsewhere on the computer that could do a hell of a lot of damage. On the other hand, this new limitation broke a lot of extensions, two of which are absolutely critical for me. One, I could replace (although not easily). The other is so fundamentally game-breaking for me that I genuinely considered whether it was time to move to another platform.

    I'm happy to accept a warning each time I use the system.
    Rylan,

    My background, like yours, is IT. I've spent 20 years as a systems administrator for large backend systems. Law is a second career, so I agree it is a balance, I am not opposed to the FileURL api existing. It is a very useful mechanism. With a bit more code I'm sure my concerns will be eliminated.

    Jason

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
FG Spreadshirt Swag

Log in

Log in