Consider whether to publish plugin on the Marketplace

[mattab]

The goal of this issue is to publish the PiwikDebugger plugin on the Piwik Marketplace. In other words the goal is to make PiwikDebugger ready for debugging production servers.

Plugin Security Review In order to publish the plugin first we must check the security in particular:

• that all APIs and controller methods are appropriately protected with appropriate checkUserIsSuperUser calls
• check that third party libraries bundled in the plugin are also restricted to Super Users.
  • For example maybe we could put the libs/ folder only accessible after being authenticated as Super User in Piwik?
  • Or we manually check that the files provided by the libraries cannot be executed by direct access? (though I see that the Mysql client and other tools are accessible directly)
  • Think of the use case: plugin is disabled, yet attacker can still access plugins/PiwikDebugger/libs/* folder and use tools

Notes

• if we can certify that all actions are restricted to Super Users then maybe we can remove the notice WARNING DO NOT INSTALL THIS PLUGIN ON ANY SERVER IN PRODUCTION in the readme and json?

Publish plugin on the Marketplace Once the plugin is certified as secure then we can publish it on the Marketplace"

• check the README, plugin.json
• publish a first version (learn more)

[tsteur]

The purpose of this plugin is purely for debugging instances we don't have ftp/ssh access. I don't understand why changing this and we making it so complicated. It is still possible to install it on production servers but only when you know what you are doing and only for a very limited amount of time

Checking for super user permissions in all libs meaning forking all libs, maintaining them, merge new updates of the libs, add the super user checks to all libs/to all files and even check each single file within the libs as most might/can be vulnerable.

Once plugin is no longer used it has to be uninstalled, not disabled.

[mattab]

Ok so maybe we don't want to publish on marketplace, which is fine solution.

Maybe also when plugin is disabled, we could display a message and ask user to specifically uninstall it as well as to let him know of the risks.

[tsteur]

We could still publish it on the Marketplace with the warning? It is also useful for developers maybe. So we do not have to create a ZIP package before installing it on a server. But doesn't have to be in the Marketplace for me. I think it is just very important to clearly describe what the plugin is for, that it is dangerous and so on. Message to uninstall if plugin is disabled sounds great. +1

Would just prefer to make it not too complicated. There should be no valid reason to install this plugin on a server permanently anyway.

BTW: I'm using this plugin right now on a users instance to debug some issues and it is super helpful

[mattab]

Because the plugin could have some risky files built-in then I don't think it's safe to publish it in the Marketplace. Otherwise some users will expect top security settings from author Piwik and we cannot be sure in this case...

Best for now is maybe to leave plugin as it is and later we could re-consider which would require protecting libs/ folder with Super User access (htaccess or nginx maybe provide tool for this).

[mattab]

Let's not publish it on the marketplace.

Also, just disabled the travis build after discussing with @sgiehl