This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
HDeffo's profile picture

Computercraft whitelist

Started by HDeffo, 13 March 2015 - 11:09 AM
HDeffo #1
Posted 13 March 2015 - 12:09 PM
So on the server I play on the owner does not understand ComputerCraft very much. We have been trying to convince him to remove the http whitelist (currently only set to pastebin.com and computercraft.info only) so far no luck convincing him there are no negative effects from having the whitelist off so I figured I would ask others who use the mod to prove to him there really aren't. If you know anyway that you can use free access to http for foul purposes please comment with as much a proof of concept as you can (staying within the "no malicious scripts") to prove you aren't just doing the normal "it sounds bad" type of thing I read a lot. Also if you have anyway I can prove or show him http usage on all sites is safe this would be very appreciated!
Lupus590 #2
Posted 13 March 2015 - 12:18 PM
what exactly is your server owner worried about? if it's malicious scripts then assure him that computercraft can only crash/slowdown itself (I.E. it can't effect minecraft) also show him the result of this lua code

print("in ~ten seconds I should crash")
while true do
	 --nil
end

the above code should demonstrate that CC can't make the server hang

if you can't get the whitelist removed then ask that the sites that you think you will use are added (github, turtlescripts, oneOS appstore, etc.)

this may be counter productive but you could also show that pastebin is not free of malicious scripts (it's an external site so CC has not control over its content)
Edited on 13 March 2015 - 11:18 AM
HDeffo #3
Posted 13 March 2015 - 01:09 PM
I assume he is worried because some places around the internet on forums and such state you can hack a server using http or download a virus or etc. All as far as I know and nearly willing to say 100% certain (definitely know it can't download a server based virus) these are all false but as he doesn't know ComputerCraft he doesn't want to just take one player's word on it
MKlegoman357 #4
Posted 13 March 2015 - 02:04 PM
It's true that you can download an .exe file or a .jar virus to the computer, but after that, what's next? Nothing, ComputerCraft is not capable of running any kind of programs except Lua files, so even if you do manage to download a virus you would not be able to activate it in any form without access to actual server files. I don't see anything bad in letting Lua scripts access the net.
Edited on 13 March 2015 - 01:05 PM
HDeffo #5
Posted 13 March 2015 - 02:08 PM
It's true that you can download an .exe file or a .jar virus to the computer, but after that, what's next? Nothing, ComputerCraft is not capable of running any kind of programs except Lua files, so even if you do manage to download a virus you would not be able to activate it in any form without access to actual server files. I don't see anything bad in letting Lua scripts access the net.
That's what I meant just worded poorly it can be downloaded obviously but there's no possible way to run it inside computercraft's sandboxed environment
HDeffo #6
Posted 22 March 2015 - 03:08 PM
As an update to see if anyone can help with this issue the whitelist was removed 2 days ago then yesterday one of the admins freaked out and re enabled it. They are currently worried someone could use http to make the server DoS a website which will leave the server owner responsible and he could risk a lawsuit. Supposedly they even got a security expert confirming this is very possible and dangerous. They aren't accepting "ComputerCraft isn't powerful enough to DoS" so anyone have any ideas to help me out on this? Someone with verifiable credentials on the subject would be really beneficial.
Anavrins #7
Posted 22 March 2015 - 03:47 PM
Any website that is big enough to throw a lawsuit at you would hopefully have their software updated to prevent simple DoS vulnerabilities.
As for DDoS, impossible, even if you have a 1000 in-game computers, all the requests are still coming from one machine.
Edited on 22 March 2015 - 02:49 PM
Lupus590 #8
Posted 22 March 2015 - 04:03 PM
Maybe they need a demo, make a program in CC which tries to do a DOS attack on a web server (any computer that is not the hosting MC server, preferably one you own [you can do this on a local network]). (This will be a malicious script and so will not be allowed on this forum.)
As we have already implied, the script will fail its design, demonstrating that CC can't DOS attack a server.
Edited on 22 March 2015 - 03:05 PM
HDeffo #9
Posted 22 March 2015 - 05:09 PM
I've offered to let them try and DoS my grandmothers 15 year old computer with no firewall just to prove there is no damage you can do with the limited requests a computer can do. They counter is that you can the request to another server which forwards the request to the target server X times increasing the payload.
Lupus590 #10
Posted 22 March 2015 - 05:22 PM
if you can do that then you may as well do the attack without using CC, they are grasping a straws.
Lyqyd #11
Posted 22 March 2015 - 06:59 PM
The only real argument that should be necessary is that the default whitelist now is completely open. The only reason they have a more restricted whitelist is because they're using one of the very few versions of ComputerCraft that existed between the config moving to a whitelist setup and the whitelist being changed to * by default. If they were to use the latest version of CC with the default configuration that it generates, the whitelist would be completely open anyway.
HDeffo #12
Posted 24 March 2015 - 03:06 AM
And about doing researches, I've been a Java developer / Support Employee for 5 years, a smaller company for 3 years before and I am also certified by OWASP.

I don't need to look at CC code to know that the simple fact that you can have this server sending an AJAX call is more than enough to launch attacks from the server. The responsibility for any bad things made through this hole would go to powerpin,

This include using the http to access content any that has a license. (even github is edgy on that)

Here is currently the argument of my opposition.
Any help here guys :D/> this is the only person I need to dispute to get this config changed
Anavrins #13
Posted 24 March 2015 - 03:31 AM
What about leaving his server and going on one that is less paranoid?
HDeffo #14
Posted 24 March 2015 - 03:40 AM
I have a lot of friends on this server and I am currently staff as well. I would much prefer to convince them it's safe instead of leaving however our coder staff isn't budging.
Lyqyd #15
Posted 24 March 2015 - 03:00 PM
Well, it's their server, so it's their call. I disagree that CC poses any realistic threat with a whitelist of *, of course. I think the suggestion to move servers is a good one. You've just got to decide whether the server being configured this way is unpleasant enough to leave and play elsewhere. You do at least have pastebin!
Lupus590 #16
Posted 24 March 2015 - 03:07 PM
One last suggestion, ask other server owners if they have had any problems with CCs HTTP API.

Other than that, I'm out of ideas.
Edited on 24 March 2015 - 02:07 PM