[Bug 25370] New: Create whitelist of plugins allowed to be installed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 Bug ID: 25370 Summary: Create whitelist of plugins allowed to be installed Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Plugin architecture Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org This feature would provide a whitelist of plugins that are allowed to be installed in Koha. This whitelist would be managed by some kind of administrator*. This feature coupled with Bug 24632 would allow Koha users to only installed certain authentic plugins from trusted providers. (*I've been thinking that a superlibrarian really should be able to configure all aspects of Koha. However, from a vendor perspective, there are quality of service and security risks that comes with that. So perhaps the administrator level should be configurable. Defaulting to superlibrarian but optionally being switched to backend sysadmin for vendors, so that they can have ultimate say, when running on their own hardware.) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I am thinking the whitelist would contain an entry like "Koha::Plugin::Com::ByWaterSolutions::CSV2MARC". However, another plugin could pretend to be that same one. A malicious plugin could pretend to be a popular plugin and thus defeat the whitelist. With Bug 24632, that would be far less likely. You could set up your plugin keys so that only Bywater Solutions is trusted, and then only "Koha::Plugin::Com::ByWaterSolutions::CSV2MARC" is allowed on the whitelist. It is still possible to have collisions if you trust more than one provider and they use the same name, but that is unlikely due to the naming conventions Kyle created from the start. Different vendors should use their company names like "Koha::Plugin::Com::ProsentientSystems::OaiHarvester" (which one day I hope to be a real thing). Plus, if we did start using vendor/community Github/Gitlab as repositories, we could potentially limit the likelihood of people sourcing plugins from obscure locations. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Create whitelist of plugins |Create allowlist of plugins |allowed to be installed |allowed to be installed -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- This looks a bit tougher than I was thinking but should still be doable... I think if I do a Module::Pluggable search for "Koha::Plugin" in between these following two lines and then compare to an allowlist... that should do the trick. my $ae = Archive::Extract->new( archive => $tempfile, type => 'zip' ); unless ( $ae->extract( to => $plugins_dir ) ) { -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- The challenge is how to define this configuration, but I think I could use the same idea I had at https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28498#c4 Set up a configuration file called /etc/koha/plugin-allowlist.yml and then point each Koha instance at that file via koha-conf.xml. That also allows for the possibility to have 99% of instances using the generic allow list while some instances could be configured using /etc/koha/sites/INSTANCE/plugin-allowlist.yml to provide a different list. (I still want to replace koha-conf.xml, but creating Koha::Config->file() with caching layers is beyond what I want to do right now...) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Create allowlist of plugins |Create allowlist of plugins |allowed to be installed |allowed to be installed by | |Web UI -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- I've updated the summary because I think we only need to define an allowlist that inhibits the Web UI. I think we should allow sysadmins to install whatever they want. (I'm also not too concerned with people uninstalling plugins at this point. I think that would be better handled by Bug 28499.) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Going forward I'll probably just rely on bug 25672 so I doubt I'll work on this... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com Depends on| |25672 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25672 [Bug 25672] Administrators should be able to restrict client-side plugin upload to trusted sources -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WISHLIST -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org