New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add confirmation for 3rd party repos #4654
Merged
thornbill
merged 10 commits into
jellyfin:release-10.8.z
from
joshuaboniface:additionalPluginVerification
Jul 1, 2023
Merged
Add confirmation for 3rd party repos #4654
thornbill
merged 10 commits into
jellyfin:release-10.8.z
from
joshuaboniface:additionalPluginVerification
Jul 1, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a confirmation similar to the one performed during plugin installation, when adding a 3rd party repository. The safe domain is hardcoded to be "repo.jellyfin.org" as this is very stable and we have no plans to change it. Individual mirrors don't need to be specified since this is user-input content and they should be using the main URL not the URL of a specific mirror. The confirmation message makes explicit mention of the possibility of malicious code from 3rd party repositories as well as updates that may bring it in, and suggests only adding 3rd parties from trusted people. The plugin install confirmation is also modified to use the same conditional and an altered message similar to the above, again to emphasize the potential security risks of 3rd party plugins. Finally, some additional information is added to the Developer Info section of the plugin page; specifically, the name of the repository the plugin is sourced from as well as its URL. How this is obtained is a hack, since these should probably be part of the main information about the plugin and not each specific version, but this is worked around by only showing the information from the first (i.e. newest) version.
nielsvanvelzen
previously requested changes
May 29, 2023
* Remove superfluous variable * Remove extra random spaces from editor * Use single-quotes around text
joshuaboniface
force-pushed
the
additionalPluginVerification
branch
from
May 30, 2023 13:35
98bf910
to
cf530b3
Compare
Co-authored-by: Niels van Velzen <nielsvanvelzen@users.noreply.github.com>
thornbill
reviewed
May 31, 2023
thornbill
added
enhancement
Improve existing functionality or small fixes
security
This PR or issue mainly concerns security
labels
May 31, 2023
Kudos, SonarCloud Quality Gate passed! |
thornbill
approved these changes
Jul 1, 2023
thornbill
pushed a commit
that referenced
this pull request
Jul 2, 2023
Add confirmation for 3rd party repos Original-merge: 331fa87 Merged-by: Bill Thornton <thornbill@users.noreply.github.com> Backported-by: Bill Thornton <thornbill@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
enhancement
Improve existing functionality or small fixes
security
This PR or issue mainly concerns security
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Adds a confirmation similar to the one performed during plugin installation, when adding a 3rd party repository.
The safe domain is hardcoded to be "repo.jellyfin.org" as this is very stable and we have no plans to change it. Individual mirrors don't need to be specified since this is user-input content and they should be using the main URL not the URL of a specific mirror.
The confirmation message makes explicit mention of the possibility of malicious code from 3rd party repositories as well as updates that may bring it in, and suggests only adding 3rd parties from trusted people.
The plugin install confirmation is also modified to use the same conditional and an altered message similar to the above, again to emphasize the potential security risks of 3rd party plugins.
I am open to modifications to the wording of both messages in this PR, though I think this wording captures it fairly well.
Finally, some additional information is added to the Developer Info section of the plugin page; specifically, the name of the repository the plugin is sourced from as well as its URL. How this is obtained is a hack, since these should probably be part of the main information about the plugin and not each specific version, but this is worked around by only showing the information from the first (i.e. newest) version.
Issues
Fixes #4653