Multiplayer/privacy concerns
ashhhleyyy opened this issue ยท 3 comments
Firstly, thanks for the very cool mod ๐
The issue
Currently this mod directly downloads the image directly from the URL on a sign, which could lead to a player's IP address being leaked to other players when playing on a multiplayer server with the mod. A malicious player could create a sign such as the following:
!PS:https://my.evil.site/image.png
1:1:1:1:1.5
Which would download the image from my.evil.site and leak the player's IP to the owner when they get close enough.
Some solutions
This can be prevented by using an image proxying service such as DuckDuckGo's to download images with.
For example, there is a copy of my profile picture at https://ashisbored.github.io/assets/ash.png, and when fetched via DuckDuckGo's proxy, the URL becomes https://proxy.duckduckgo.com/iu/?u=https%3A%2F%2Fashisbored.github.io%2Fassets%2Fash.png.
This would prevent the above malicious site from seeing the player's IP, as the URL the request the client would be to proxy.duckduckgo.com rather than my.evil.site, which would only see a DuckDuckGo IP.
This proxying is common in other applications that display images from other sites directly to the user, such as Discord and GitHub.
I would also suggest adding a config option to use a custom proxy, as well as an option to disable downloading images when in multiplayer environments, combined with an allow/trustlist to only allow fetching images when on specific servers trusted by the player.
These are valid concerns. I might limit the image providers to just imgur and imgbb by default, as most other provider's URL's are too long to fit on the sign anyway.
I added a feature called safe mode in 1.2.0, that only allows images to be loaded from imgur and imgbb.
Thanks for helping to make the mod more secure :)
i think a better solution would have been to have a proxy config option of some kind. i don't like being limited with what image hosts i am allowed to use. if i used this mod for signs on my server, i would want to use images hosted from my own site.
or alternatively, maybe someone could make a server plugin that blocks players from writing signs that use sites that the server admin doesn't trust. but that's a whole other thing.
a think a proxy is a good middle ground tho. maybe a setting that makes the client add the DDG proxy to the url before fetching it or something.