Page 1 of 1
Dedicated Security Module
Posted: February 12th, 2021, 1:12 am
by hl2guide
Currently for sabnzbd we have two main settings for "locking down" the security footprint of the software:
- Unwanted extensions
- Cleanup List
e.g.
Code: Select all
bat, cmd, com, db, dll, doc, docm, docx, exe, gif, hta, htm, html, idx, inf, info, ini, jar, js, jse, lnk, md5, nfo, nzb, pdf, png, ps1, ps2, py, scf, scr, sfv, sfx, srr, sub, tmp, txt, url, vb, vbe, vbs
It works somewhat for blocking potential viruses, malware.
Please consider allowing us to instead set a strict hard limit on the types of files to whitelist (allow) and block everything else by default.
Maybe the best way would be to have basic grouping like:
- Images: jpeg, jpg, gif, png, tiff etc..
- Videos: mp4, mkv etc..
- Music: flac, mp3 etc..
- Documents: doc, txt etc..
Something like:
I personally would only want to whitelist:
mkv,
mp4, and
flac.
Keep up the great work
Re: Dedicated Security Module
Posted: February 12th, 2021, 7:51 am
by Puzzled
Good idea. I see some issues with the implementation, though.
- The list would probably have to be a text string like the blacklist. It's hard to know everything every user wants to whitelist.
- How will the user know what to keep? There are probably hundreds of different image and video file extensions alone, and it's hard for the user to know what add if they are deleted automatically. The nzb will usually show the RAR files. There can be a debug log but it will mostly be filled with stuff that is supposed to be deleted.
If it's added as an advanced option then the user can be expected to figure this out themselves. It would be good if anyone has any ideas about how to make it easier, though.
Re: Dedicated Security Module
Posted: February 12th, 2021, 8:38 am
by hl2guide
Fair points.
Maybe simply a setting called "security_restrict_to_file_extensions_list"?
e.g value:
Re: Dedicated Security Module
Posted: February 13th, 2021, 4:35 am
by jcfp
Puzzled wrote: ↑February 12th, 2021, 7:51 amIf it's added as an advanced option then the user can be expected to figure this out themselves. It would be good if anyone has any ideas about how to make it easier, though.
Could make it a variation of the current unwanted extension feature. Basically, add a simple boolean option to make that list of extensions either a blacklist (current use; future default so existing setup keep working) or a whitelist (block unless the extension is on the list). The pause action allows the user to do a manual review and decide to allow an extension after all, should they care.
Re: Dedicated Security Module
Posted: February 13th, 2021, 7:23 am
by hl2guide
@jcfp: nice idea, seems elegant
Re: Dedicated Security Module
Posted: February 13th, 2021, 1:37 pm
by jcfp
The basics work, explanation texts still need a refresher though. Found an inconsistency in the current unwanted extension handling too, so I'm going to write some tests for that stuff before making a PR. Using
Whitelist mode without a carefully curated list of extensions could be frustrating, but that's where the pause option comes in handy.
Edit: PR is at
https://github.com/sabnzbd/sabnzbd/pull/1798
Re: Dedicated Security Module
Posted: April 26th, 2021, 12:18 am
by hl2guide
Seems to be in the latest beta release.