Hi,

Some friendly community feedback in regards to C#/Scripting :)

The c-sharp scripting files that can be used as part of building a mission do not appear to be sandboxed. What this means is that a malicious mission maker could do things like remove files, connect to the net, access local resources as the current win logon.

My worry is that people will download missions in .mis & .cs format and not understand what is potentially running.

My suggestion to the product team to help this would be:

- Short-term. Put something in the mission reader code that makes the player specifically enable mission files that use the .CS scripting. The default would be 'ignore'. This would then offer some sort of 'opt-in' from running something malicious inadvertently.

- Longer-term. Consider reducing the .NET Code Access Security permissions on the scripting engine you are using, i.e. sandbox but not at FullTrust. I understand this is a design consideration, but security is not worth taking risks for. Additionally, some sort of 'code signing' for the scripting would be useful too.

As the SDK is not released I realize this is just still Work in Progress, but felt I should at least say something to prevent people from executing code without at least understanding the consequences.

More info/discussion here:

http://simhq.com/forum/ubbthreads.php/topics/3297184/Scripting_Fun.html

COD has some amazing potential in this area, I just want to make sure it starts off safely...

EDIT: As pointed out by Kegetys at SimHQ - wouldn't even just connecting to a server and having it download the mission files then allow for remote code to be executed on the client PCs? Is that how it works (not really looked at server mission and how they deploy files to each client). If this is the case then it is perhaps quite urgent to review?

If the scripts supposed to run on a mp mission are in effect downloaded to the client's computer (and even perhaps without his knowledge) and run there it is highly critical as far as I understand this issue. If this is true it is not at all recommendable to join any server?

Any comment from 1c about this?
:confused:

Any more feedback?

Example: It would take five minutes to:

1. Set up a Cliffs of Dover server on your PC, put it on the internet, give it a name as 'New Server - Great New Mission!'

2. Write a tiny c# script on a mission that deletes the users 'My Documents' directory or uploads your local PC's files to a site on the internet.

3. For each person that just connects to the server and hits 'Create' on the flight mission, see how step (2) would impact them. Bad news.

Sorry to be a bit dramatic, but with no comments back and FMB people not even commenting here, it makes me suspect this isn't being taken seriously as a potential problem?

Just to reiterate: It *may* be possible to run executable code on each client PC that just connects to a CoD MP server. Not good.

This should be verified and looked at soon? Hopefully I am wrong?

Just to reiterate: It's possible to run executable code on each client PC that just connects to a CoD MP server. Not good.

Are you sure this is true? I can't see any reason why the scripts would need to be downloaded onto each clients computer and ran there. Sure, a script could mess up a server, but that's the server admin's responsibility.

I don't even think the mission files are downloaded to clients' computers, just the info about where things are and such.

If this is true, it means that every client is a server and they are somehow collaborating to keep everybody's game the same. A pretty silly way to do it and not what I would expect from the dev team.

For each person that just connects to the server and hits 'Create' on the flight mission, see how step (2) would impact them.

I don't have any friends to connect to my servers but somebody might as well try it. I have a feeling anything like that would only affect the server.

Anyway, here's code that will create a directory and file in the root directory of the c: partition. Uncomment the commented stuff to delete it. It works on a server, I doubt it will work on a client connected to a server.

public override void Init(maddox.game.ABattle battle, int missionNumber)
{
base.Init(battle, missionNumber);

// Specify a "currently active folder"
string activeDir = @"c:\youve\been\";

System.IO.Directory.CreateDirectory(activeDir);

string newFileName = "duped";

string newPath = System.IO.Path.Combine(activeDir, newFileName);

if (!System.IO.File.Exists(newPath))
{
using (System.IO.FileStream fs = System.IO.File.Create(newPath))
{
for (byte i = 0; i < 100; i++)
{
fs.WriteByte(i);
}
}
}

// Delete a directory and all subdirectories with Directory static method...
//if (System.IO.Directory.Exists(@"c:\youve"))
//{
// try
// {
// System.IO.Directory.Delete(@"c:\youve", true);
// }

// catch (System.IO.IOException e)
// {
// Console.WriteLine(e.Message);
// }
//}
}

It would take five minutes to...


Then why don't you go take five minutes instead of spreading FUD?

Then why don't you go take five minutes instead of spreading FUD?

The SP missions aren't sandboxed, so with that problem already they had lost the benefit of doubt.

Post the results of your MP tests?

Are you sure this is true? I can't see any reason why the scripts would need to be downloaded onto each clients computer and ran there. Sure, a script could mess up a server, but that's the server admin's responsibility.

I don't even think the mission files are downloaded to clients' computers, just the info about where things are and such.

If this is true, it means that every client is a server and they are somehow collaborating to keep everybody's game the same. A pretty silly way to do it and not what I would expect from the dev team.



I don't have any friends to connect to my servers but somebody might as well try it. I have a feeling anything like that would only affect the server.

Anyway, here's code that will create a directory and file in the root directory of the c: partition. Uncomment the commented stuff to delete it. It works on a server, I doubt it will work on a client connected to a server.

public override void Init(maddox.game.ABattle battle, int missionNumber)
{
base.Init(battle, missionNumber);

// Specify a "currently active folder"
string activeDir = @"c:\youve\been\";

System.IO.Directory.CreateDirectory(activeDir);

string newFileName = "duped";

string newPath = System.IO.Path.Combine(activeDir, newFileName);

if (!System.IO.File.Exists(newPath))
{
using (System.IO.FileStream fs = System.IO.File.Create(newPath))
{
for (byte i = 0; i < 100; i++)
{
fs.WriteByte(i);
}
}
}

// Delete a directory and all subdirectories with Directory static method...
//if (System.IO.Directory.Exists(@"c:\youve"))
//{
// try
// {
// System.IO.Directory.Delete(@"c:\youve", true);
// }

// catch (System.IO.IOException e)
// {
// Console.WriteLine(e.Message);
// }
//}
}

Thanks for that.

For me it looks like MP is ok, but SP needs a sandbox.

Agreed?

Thanks for that.

For me it looks like MP is ok, but SP needs a sandbox.

Agreed?

I'm not familiar with .Net permissions, but they probably shouldn't have complete filesystem access. If you could limit it to certain directories that would be nice.

Cliffs of Dover would hardly be the first game to require you to trust maps and mods you download, but despite this, sandboxing for the host doesn't seem entirely inappropriate, albeit certainly low-priority. You can stop going around declaring the sky to be falling, though, as there's no danger to people who aren't running unvetted content.

Скрипт на сервере, клиентом не закачивается и повредить что-то у клиента не сможет .

"A server script is not downloaded by a client and can not damage anything at client side."
naryv, member of the dev team http://www.sukhoi.ru/forum/showthread.php?t=68629&p=1626549&viewfull=1#post1626549