Zeamox
commented
3 months ago Open Zeamox opened 3 months ago
Zeamox
commented
3 months ago 
IceDynamix
commented
3 months ago sniffing packets has always been a contentious topic. it's obvious that by allowing a program to sniff packets, the user is possibly compromising themselves to all kinds of vulnerabilities. packet sniffers should be regarded on the same level as keyloggers in my opinion.
RQA currently uses the npcap/pcap (windows/linux) libraries to interact with the network interfaces and the incoming data. this naturally requires elevated permissions. however, i explicitly pass in this specific udp and port filter https://github.com/IceDynamix/reliquary-archiver/blob/026048e9a0012ee906b2edf6a9ad6cfab30d1e57/src/main.rs#L16 to the library, which should prevent RQA from receiving anything outside of udp packets in those ports.
RQA also downloads json files required to decode them, like the english textmaps. this could be abused if someone decided to inject malicious software into one of those database files and somehow managed to trigger a vulnerability in RQA or one of the libraries it uses.
between virus detection tools moving over to ai and RQA becoming more popular than ever, i'm not surprised to see that it has been flagged as a trojan. but i'm also not sure why it hasn't been flagged before, since there haven't been any major updates that change the behavior by a lot. or maybe it has been flagged and i just never noticed.
if we want to take at changes that happened between v0.1.6 and v0.1.7, the two most notable ones are
something important to note is that i'm actually on vacation right now and only have my linux laptop with me, making it more difficult to properly verify and validate all of the incoming code. given that i was literally on a plane when the 2.3 update dropped and thus was a bit slow on updating the protobuf types, new version key and generally releasing the update, other people have taken it in their hand to make pull requests to help me make the job easier.
from update v0.1.6 to v0.1.7, #31 was added which added a github actions workflow to compile and create a new windows release every time something is pushed to main branch. this PR is based on an existing rust compilation template and an existing release template. for this to be the issue, there would need to be an (undetected) supply chain attack in one of these templates which i believe highly unlikely for actions as elementary as compiling rust code and creating a release.
this is pull request covers the new protobuf types and adding the new version key. since i was travelling and the commit diff is literally 16k lines across 380 files as a result of code generation, i didn't fully read through every change in the pull request on my phone. all i did was have @fribbels verify the functionality by testing the new release with the pull request merged. there could be a miniscule chance that i missed something in there though.
this already came up in the fribbels optimizer discord where most of the discussion around RQA is happening, but i still genuinely don't know where to go with this. is there a way to unflag RQA? do i have to apply for some kind of certificate? i would appreciate if someone could help me out on this process.
i get it if people decide to stop using RQA based on the virus report though. i personally wouldn't feel that comfortable downloading a packet sniffer either, it's one of the reasons i went open source. you can still compile RQA yourself feel safer, though @FaeronGaming has noted that a local build also gets flagged with 10 vulnerabilities.
for now, i'll leave this issue open for anyone coming across the same thing.