Non-plugin binaries can be executed from an untrusted online configuration

[dyhkwong]

If an online configuration is like

{
	"local_address": "127.0.0.1",
	"local_port": 1080,
	"server": "127.0.0.1",
	"server_port": 8388,
	"method": "aes-256-gcm",
	"password": "123456",
	"plugin": "calc",
	"plugin_args": []
}

and one runs sslocal --online-config-url https://example.com/config.json --local-addr 127.0.0.1:1080, Windows will pop-up a calculator. With shadowsocks-rust-only plugin_args most things on a local device can be executed. I don't think this is expected behavior. Online configuration should not be considered a trusted source.

[zonyitoo]

This is discussed when SIP008 was still a draft.

Online configuration should not be considered a trusted source.

Yes, if you are using an online configuration source which couldn't be trusted, it would become a vulnerable issue. But what should sslocal do to help? A plugin whitelist? chroot on linux?

Since it is not well defined in SIP008, it all up to implementations to decide what has to be done for protection. sslocal didn't do anything, yet.

If you have any good ideas, feel free to open a PR, or describe your design.

[database64128]

The SIP008 spec did not specify how plugins should be handled, but the newer OOCv1 Shadowsocks spec mandates that clients use the name and version to choose the plugin from a user-configured list.

Support for OOCv1 was added in 5029279, but without the plugin part. Maybe we could implement the plugin part to provide a safe alternative to SIP008.

[dyhkwong]

A plugin whitelist? chroot on linux?

Plugin whistlist is a platform-independent approch while chroot is not. Anyway a plugin whistlist is likely a breaking change.

I think using a whitelist of plugin names (and/or plugin paths) is enough (as part of the plugin part of OOCv1). Unfortunately I am unable to open a pull request in Rust.

configuration file

{
  "online_config": {
    "config_url": "https://path-to-online-sip008-configuration",
    "trusted_plugins": {
      "obfs-local",
      "v2ray-plugin"
    }
  }
}

command line argument
sslocal --online-config-url https://path-to-online-sip008-configuration --trusted-plugins obfs-local,v2ray-plugin with commas in plugin name escaped, or sslocal --online-config-url https://path-to-online-sip008-configuration --trusted-plugin obfs-local --trusted-plugin v2ray-plugin

And plugins need to make sure they don't chain-load other binaries.

[zonyitoo]

Already supported on the master branch. Please try.