Auto Reject files that matches pattern X in its content

[w35l3y]

It would be great that moderators (or someone with admin privileges) could add some kind of rules that would auto reject when someone upload certain scripts.

These rules would be executed once by each uploaded script.

For example, it's known that currently userscripts.org is unavailable, so if the pattern /^\/\/\s+@require\s+https?:\/\/(?:\w+.)?userscripts.org\//i is found, then it would reject the script. User is trying to upload a known broken script.

Another practical example, currently my scripts should only be available at userscripts.org and github.com, but I have reports that some of them are being uploaded at greasefork by someone else. So it could auto reject if the pattern /wesley.eti.br/ is found. User is trying to upload a known stolen script.

Or if it matches /(p,a,c,k,e,r)/, then it is known to be a packed script.

Or if it matches /_0x\d{4}x\d(_0x\d{4}x\d)/, then it is know to be an encoded script.

Or if it matches /document.cookie/ or /eval(/, then it probably is an harmful script. (would require reviewing by moderator)

... and so on.

A generic error message like "Some errors were found in this script" would be enough.

It probably would minimize from users upload broken/stolen/packed/encoded/obfuscated/harmful/... scripts and the work of rejecting it manually too.

[JasonBarnabe]

This is such a good idea that it already exists :) The list is only editable by me and visible to moderators to make circumventing it harder, but it does have entries to prevent obfuscated scripts and known malware. document.cookie and eval aren't on the list because they can be used for good, but there may in the future be a "suspicious" list for stuff like that. See #55 for more discussion.

@require is handled separately - see https://greasyfork.org/help/external-scripts .

Can you provide links to the unauthorized copies of your scripts and the originals?

[w35l3y]

The only one for now that I was aware of was https://greasyfork.org/scripts/1482-neopets-avatars-flash-games-beta that was removed already. The original is at http://userscripts.org:8080/scripts/review/127882 and currently at https://github.com/w35l3y/userscripts/blob/master/scripts/Neopets_Avatars_Flash_Games_%5BBETA%5D/127882.user.js

But I am afraid that it could happen again and with other scripts of mine (as it used to happen in userscripts.org too). And one of the first 2 rules that I mentioned would be a good start.

[JasonBarnabe]

https://greasyfork.org/scripts/1482-neopets-avatars-flash-games-beta was actually never installable on Greasy Fork because of the @require it used.

[w35l3y]

Oh I see. That is good! :smiley: So what is the point of accepting such scripts instead of just rejecting them ? I mean, the way it currently is I have to monitor the whole site and ask moderators to remove them one by one. Again, the same problem we used to have at userscripts.org

[JasonBarnabe]

We can periodically review the list of scripts with bad @requires and potentially add things to the whitelist or suggest to the authors a better place to @require from.

Your issue with your script being reposted seems to be unrelated to the @require thing, though. It's not necessarily "stealing" depending on the license used on the original, and it's not necessarily malicious as someone might just want to "save" the script from the pending userscripts.org collapse.

There may be something I can do about reposting stuff that's already posted to Greasy Fork, but stopping reposts from elsewhere is not something I can automatically stop, least of all because I have no way of knowing if the person who does it is actually the original author.

Adding a block on wesley.eti.br would have stopped this particular script, but this isn't really a scalable approach to the problem.

[w35l3y]

The @require thing would be an indirect solution to the same problem because they usually copy the whole content without knowing what things do. (Blocking temporarily all known broken scripts would be enough and a very good start)

I am sorry if it sounded selfish, but I just gave real examples of what used to happen at userscripts.org, and I just wanted greasyfork had learned with the past errors of other sites and was a better tool, to both users and moderators.

I think one of the downsides there to moderators were the fact they always were working reactively, I mean, deleting waves of scripts/spams where it could be done automatically. I think they were just tired of the same thing.

I can't really think of a better message to users that try to publish broken/untraceable scripts but "Please come back later once you learn how to develop userscripts, or report a bug", moderators should have more interesting things to do other than suggesting users to fix their scripts.

Hopefully GreaseyFork(and/or other related sites) will be better than Userscripts. You may close it at any time.

[JasonBarnabe]

I'm all for blocking things if they're broken or stolen, and the site can do that, but it's identifying the scripts we want to block and ensuring that there are no false positives that's the trick.