Skip to content
This repository was archived by the owner on Jan 13, 2023. It is now read-only.
This repository was archived by the owner on Jan 13, 2023. It is now read-only.

Security or pattern manager for Skript #102

Open
Open
Security or pattern manager for Skript#102
Assignees
TheDGOfficial
Labels
priority: lowA low priority issue or pull requesttype: enhancementNew feature or requesttype: featureA good feature
Milestone
2.2.18
@TheDGOfficial

Description

@TheDGOfficial
TheDGOfficial
opened on Nov 17, 2019

Is your feature request related to a problem? Please describe.
For in-experienced server admins, a mysterious 'skripter' can send them a script that contains an op command that gives operator to command executor and 'hack' its server in perspective of the in-experienced server admin.

Obviously that is not hacking, it is only injecting a malicious code into a script, possibly making a million line breaks that hides it, or using an uncommon pattern of either EffOp or EffCommand, or even using an effect from an add-on.

Describe the solution you'd like
Add a security manager for EffOp and EffCommand, that gives a warning by default if used to give operator status or gives * permission which has a special meaning in permission plugins that same as giving the operator status.

Checking if a player is an operator in EffOp is not problematical. De-opping it is also not problematical. The problem is in making someone operator. It should give parse warnings by default. For EffCommand, it should warn if op command is detected.

Obviously this should be configurable, but I think giving warnings by default for opping someone would be great. At least giving warnings if the parent line does not contain a condition will be helpful to in-experienced server admins.

For pattern manager, it is a more like long-time goal for Skript. With pattern manager, we can turn on or off specific patterns. It is like features.sk from Mirreski's fork of Skript, but the features file never worked, so we removed it. It should disable the disabled patterns in the scripts, aliases, configs and effect commands.

Also permitting the mysterious popular /op list command would be great for in-experienced server owners, since op command makes the person named with the given argument operator and does not have a list variant to list operators. Some people use these tricks to get operator status, and then say 'I'm a hacker and hacked your server ha ha', it is not hacking it is just tricking someone.

Describe alternatives you've considered
N/A

Additional information
N/A

Metadata

Metadata

Assignees

Labels

priority: lowA low priority issue or pull requesttype: enhancementNew feature or requesttype: featureA good feature

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions