If I install a open source extension will they get my sites data?

Hari

If I install a flarum extension will extension author get acess to my site? Can they copy my website's user data? Or Can they perform bulk delete operations?

This is very illogical question but I still want to ask

Like we have security plugins in WordPress** do we have any extensions in flarum?

Should I just use audit log? To see all delete actions ?

GreXXL

Hari If I install a flarum extension will extension author get acess to my site? Can they copy my website's user data? Or Can they perform bulk delete operations?

As with all software - it's possible that there are malicious apps. Also in very tightly monitored ecosystems like Apple iOS malicious apps have slipped through the reviews. And this is a platform where there are all apps reviewed.

While extensions are not reviewed for Flarum, most of them are OpenSource. With availability to the source code, it's at least easily possible to be checked for malicious code. Also, a greater number of users will be monitoring.

If you are suspicious I'd recommend only install extensions from trustworthy sources. For example well-respected members of this community. And of course you can always report something here if you have concerns.

Hari Like we have security plugins in WordPress** do we have any extensions in flarum?

There is not. It would need to be a very good piece of extension to detect malicious extensions.

Hari Should I just use audit log? To see all delete actions ?

While audit log gives you insight into what is happening in your community it won't protect you from malicious extensions. If someone really develops a malicious extension able to implement a backdoor to take over your community it surely can also circumvent the audit log from showing something.

I think the risk of having a malicious extension is far less than having the community compromised due to a leaked password or a security problem with the hosting setup.

rafaucau

Of course such a thing is possible, but with open source extensions you can verify that it does not contain any malicious code.

Hari

rafaucau does all extensions which are published here in flarum are verified? How to check for such scripts?

Does extravise store does this verification process?

rafaucau

Hari does all extensions which are published here in flarum are verified?

As I added the discussion in the Extensions tag, it had to be approved by a moderator. But I don't know if they check the code. Question to the moderators here.

Hari How to check for such scripts?

You need to review the code of such an extension.

Hari

[deleted] sir, thanks for stepping into this. I got this doubt after we had a conversation at metabullet about the attacks. i could not ask you there because i don't want to disturb you with general topics.

GreXXL SychO thanks for explaining. i thought sentry extensions is for security? (i don't know what it means by monitoring an application)

as of now, I am only using extensions from the flarum & fof and few other extensions are from very trusted authors. ❤❤❤❤

i didn't mean to say we have such malicious extensions but i just want to clarify if there any safe cheks are being performed or not, now all my doubts are cleared. ✔

SychO

There is no verification process of the safety of the code of an extension, that would require a lot of effort and man power, which we cannot afford. There are no automatic checks either, something like that would be very prone to error.

Audit log shows actions taken by actors, if an extension is doing something malicious/unsafe, audit log won't be able to know of that.

There is a solid idea of how verifying extensions could work: https://discuss.flarum.org/d/4883-extensions-safety-trust

Sometime in the future.

[deleted]

A good portion of this relies on the developers themselves, and their approach to secure coding practices. Whilst on one hand you have a skilled developer who understands the impact of what they are extending in the core, this may not be the case for someone new to the ecosystem who may write code that introduces a SQL injection (for example) yet not be aware of it's existence.

[deleted]

Hari phenomlab sir, thanks for stepping into this. I got this doubt after we had a conversation at metabullet about the attacks. i could not ask you there because i don't want to disturb you with general topics

You can ask me anything on metabullet @Hari - that's the purpose of the site - to provide advice and consultancy. It is not entirely dedicated to Flarum support and does much more than that 👍

GreXXL

Hari i thought sentry extensions is for security? (i don't know what it means by monitoring an application)

No Sentry is a service that helps you capture application errors. Meaning if there are bugs within you application you can get hold of them. Got little to none to do with security (other than fixing bugs is always closing possible backdoors).

Hari

GreXXL one other question, i will not extend this conversation.

fof or flarum team performs all checks right why do we need sentry again? is it useful for those who are developing extensions?

edit: i understand it works like the appboy .. whenever an error occurs to the user it will make a note (entry) in sentry

got it 👍👍

clarkwinkelmann

One thing to note about my Audit Log extension, and more generally any audit extension, is that while the extension protects its own data against accidental deletion, a malicious extension would have all the access required to override the existing logs.

If the server has been compromised, the logs can't really be trusted anymore. It's best to have regular off-site backups of the database so you can also retrieve older logs in case that ever happens.

And of course as said above, a malicious actor could probably manage to avoid being logged in the first place by temporarily disabling the extension, preventing access to the database or by modifying the log extension's source code.