search

ObsidianMC / Obsidian

A C# implementation of the Minecraft server protocol.
GNU General Public License v3.0
402 stars 41 forks source link

Allow plugin nuget dependencies #102

Closed Seb-stian closed 4 months ago

Seb-stian commented 3 years ago

Allow Obsidian plugins to have nuget dependencies. They should be correctly:

There might be a problem with versioning?

Related StackOverflow post MSDN

Craftplacer commented 3 years ago

Is it required though? I mean, we could load foreign assemblies (DLLs) too that the user installs part of a plugin. They should only be loaded if the assembly is being depended upon by another plugin.

I can only imagine being useful if the user loads a "source code" plugin.

Seb-stian commented 3 years ago

"Source code" plugins are the main target of this issue.

Naamloos commented 3 years ago

In all honesty, don't source code plugins have like- a security concern?

Seb-stian commented 3 years ago

Don't all of them?

Craftplacer commented 3 years ago

More like the opposite, because you can be sure you're not running hidden code, cause you compile the plugin yourself.

Naamloos commented 3 years ago

Fair, but an update on a github repo would mean the new version would get compiled. A new update can introduce malicious code. Unless they don't auto update, of course.

Seb-stian commented 3 years ago

Well, at the moment, the way we deal with malicious code is that we disallow referencing certain assemblies. I don't know if it's possible to, for example, remove local files without System.IO, System.Reflection or System.Runtime.InteropServices (or other assembly that references those). We can still provide all the functionality via services, but without security risks, that's the idea. However, I don't call myself a security expert, so my thinking may be flawed.

In the past I've worked on other projects involving uMod, which is doing something similar. I think that they used Regex on the source code, to detect if any blacklisted namespaces were present, but the implementation is not as important here.

Seb-stian commented 3 years ago

@Naamloos Maybe you could add "Server development" category to GitHub discussions and open "Plugins security concerns"? Or just open another issue specifically for it.

roxxel commented 3 years ago

can i get assigned to this issue?

Tides commented 4 months ago

Closing this as it was done with #436