Dedicated Security Module

Want something added? Ask for it here.
Post Reply
hl2guide
Jr. Member
Jr. Member
Posts: 71
Joined: August 31st, 2016, 3:17 am

Dedicated Security Module

Post by hl2guide »

Currently for sabnzbd we have two main settings for "locking down" the security footprint of the software:
  1. Unwanted extensions
  2. Cleanup List
e.g.

Code: Select all

bat, cmd, com, db, dll, doc, docm, docx, exe, gif, hta, htm, html, idx, inf, info, ini, jar, js, jse, lnk, md5, nfo, nzb, pdf, png, ps1, ps2, py, scf, scr, sfv, sfx, srr, sub, tmp, txt, url, vb, vbe, vbs
It works somewhat for blocking potential viruses, malware.

Please consider allowing us to instead set a strict hard limit on the types of files to whitelist (allow) and block everything else by default.

Maybe the best way would be to have basic grouping like:
  • Images: jpeg, jpg, gif, png, tiff etc..
  • Videos: mp4, mkv etc..
  • Music: flac, mp3 etc..
  • Documents: doc, txt etc..
Something like:

Image

I personally would only want to whitelist: mkv, mp4, and flac.

Keep up the great work O0
Puzzled
Full Member
Full Member
Posts: 160
Joined: September 2nd, 2017, 3:02 am

Re: Dedicated Security Module

Post by Puzzled »

Good idea. I see some issues with the implementation, though.
- The list would probably have to be a text string like the blacklist. It's hard to know everything every user wants to whitelist.
- How will the user know what to keep? There are probably hundreds of different image and video file extensions alone, and it's hard for the user to know what add if they are deleted automatically. The nzb will usually show the RAR files. There can be a debug log but it will mostly be filled with stuff that is supposed to be deleted.

If it's added as an advanced option then the user can be expected to figure this out themselves. It would be good if anyone has any ideas about how to make it easier, though.
hl2guide
Jr. Member
Jr. Member
Posts: 71
Joined: August 31st, 2016, 3:17 am

Re: Dedicated Security Module

Post by hl2guide »

Fair points.

Maybe simply a setting called "security_restrict_to_file_extensions_list"?

e.g value:

Code: Select all

flac, mp4, mkv
User avatar
jcfp
Release Testers
Release Testers
Posts: 986
Joined: February 7th, 2008, 12:45 pm

Re: Dedicated Security Module

Post by jcfp »

Puzzled wrote: February 12th, 2021, 7:51 amIf it's added as an advanced option then the user can be expected to figure this out themselves. It would be good if anyone has any ideas about how to make it easier, though.
Could make it a variation of the current unwanted extension feature. Basically, add a simple boolean option to make that list of extensions either a blacklist (current use; future default so existing setup keep working) or a whitelist (block unless the extension is on the list). The pause action allows the user to do a manual review and decide to allow an extension after all, should they care.
hl2guide
Jr. Member
Jr. Member
Posts: 71
Joined: August 31st, 2016, 3:17 am

Re: Dedicated Security Module

Post by hl2guide »

@jcfp: nice idea, seems elegant :D
User avatar
jcfp
Release Testers
Release Testers
Posts: 986
Joined: February 7th, 2008, 12:45 pm

Re: Dedicated Security Module

Post by jcfp »

The basics work, explanation texts still need a refresher though. Found an inconsistency in the current unwanted extension handling too, so I'm going to write some tests for that stuff before making a PR. Using Whitelist mode without a carefully curated list of extensions could be frustrating, but that's where the pause option comes in handy.
Image

Edit: PR is at https://github.com/sabnzbd/sabnzbd/pull/1798
hl2guide
Jr. Member
Jr. Member
Posts: 71
Joined: August 31st, 2016, 3:17 am

Re: Dedicated Security Module

Post by hl2guide »

Seems to be in the latest beta release.
Post Reply