Open int-red opened 2 months ago
cedric-anne
commented
2 months ago Hi,
The marketplace loads resources using URLs provided by the plugin developers through the plugin catalog (https://plugins.glpi-project.org/#/plugin/appliances). It is the first time I heard about such an alert (maybe it is beacause the URL is incorrect, see https://github.com/yllen/appliances/pull/3).
Anyway, I am not sure how we could handle this.
int-red
commented
2 months ago Thank you for the quick response and fix of the plugin causing this issue.
You could provide a Whitelist of URLs that the plugin developers are allowed to use and deny loading of any other. Loading any URLs provided by the marketplace plugins without restrictions is prone to security issues as a malicious plugin could misuse this.
github-actions[bot]
commented
1 week ago There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.
If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.
You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.
Code of Conduct
Is there an existing issue for this?
Version
10.0.16
Bug description
When opening the marketplace under Setup>Plugins remote content from URL is loaded.
This triggers an alert from antivirus because URL raw.githusercontent.com is blacklisted. See also https://talosintelligence.com/reputation_center/lookup?search=raw.githusercontent.com There raw.githusercontent.com is listed as WEB REPUTATION Untrusted
THREAT CATEGORY Exploits, Malicious Sites
GLPI should load remote content from trustworthy domains only.
Relevant log output
No response
Page URL
/front/marketplace.php
Steps To reproduce
No response
Your GLPI setup information
No response
Anything else?
No response