Dunbaratu
commented
5 years ago Since this is not being handled by a normal PR, I will list the commits that address it separately here:
e03232a added backslash to invalid path chars - Luca Haneklau 4cf6902 added relative archive path sanitization - Luca Haneklau 0ab5f16 added archive path validation to widget texture loading - Luca Haneklau
Some streamers started doing "Twitch Plays kOS", where they create some kind of chatbot that connects their Twitch chat to kOS, letting any random user type in kOS commands from the chat that will execute in their game. This made us concerned that this was a security environment that kOS was never designed for.
The Concern:
With release kOS-v1.1.6.2 and earlier, we were aware of some tricks that a script can use to access any other files on the host PC running the game besides just the files in
Ships/Script/that it is meant to access. This access can include both reading and writing. As long as people were only writing their own script programs, or borrowing other script programs that they had read first, this was fine. But once people decided to invite the entire internet to execute any arbitrary kOS commands on their computer via chat, we decided this was no longer acceptable.We are planning to release kOS-v1.1.6.3, which should fix the places that we know of where this can be done.
We were avoiding the usual github PR system for this one because it's too public, instead keeping the talk about it in private Slack channels. We will advertise this issue only simultaneously with the release of the fix for it.
Please still don't use Twitch Plays kOS without boxing it inside a VM or at least a container
Even with this issue addressed, it is still the official opinion of everybody on the kOS dev team that regardless of what OS you play KSP on, "Twitch Plays kOS" should only be done inside well sandboxed containers or VM environments that contain just an installation of Kerbal Space Program and nothing else. (Such that the only damage a user could do would be to that installation of Kerbal Space Program at most.) While kOS is only meant for manipulating things inside the game, the fact that it needs to read and write files from the filesystem to do its job, and that it has some limited commands for doing so, makes it a concern if you let people just type in whatever commands they feel like on it. We have done our best to try to prevent access to files that are outside of the Script folder, but cannot (and will not) make any guarantees about this. It is always possible that someone cleverer than us comes up with a trick we hadn't thought of.
(Furthermore, even if kOS succeeds in keeping the users out of folders where they don't belong, the ability to run arbitrary script code could do things like eat lots of memory or CPU time or disk space to try to crash the computer. (Just because the user keeps the files in a legal place doesn't mean they can't try to make them several terabytes big.) This is another good reason that if you want to run a "Twitch Plays kOS" setup, you only do so inside a well sandboxed setup that will keep attempts to make big files, big memory structures, or expensive CPU usage from crashing the host computer itself.)