Lack of interest Add "Whitlisting" for File health check, for self changed Files

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
Masetrix

Masetrix

Well-known member
A whitelist for entries in the file health check to avoid this:

1564213382915.webp

and so on.....

Reason:
I additionally compress the graphics on the server, as well as the graphics of Xenforo.
Then the "File health check" shows many "Falsepositves".

Also, I have to change the source code for many an addon which shows many "false positives" in the "File health check".
In principle, that's a good thing, but you do not recognize in the multitude of "false positives" anymore if an unwanted change to other checked files actually takes place.
A whitelist for yourself and wanted changed files could help here.
 
Upvote 3
This suggestion has been closed. Votes are no longer accepted.
Honestly, that would be a bad idea. Say you edit a file, and white list it. Now I as a hacker get access to your site. I see you have files whitelisted from the health check. I now know I can safely add my injection code into those files any you would be none the wiser.
 
ozzy47 said:
Honestly, that would be a bad idea. Say you edit a file, and white list it. Now I as a hacker get access to your site. I see you have files whitelisted from the health check. I now know I can safely add my injection code into those files any you would be none the wiser.
Click to expand...
The problem already exists when I have changed files and must ignore them in the FHC. Without whitelist or adaptation of new hashes, however, I do not see whether files have been changed that I have not changed, that's just not possible with hundreds of entries. With whitelisting I would notice such files but immediately as they appear in the FHC.
 
Exactly, that is why it is recommended not to edit files. ;)

Amyway, you can create your own hashes.json on for the addons after you make changes, then the changes won't trigger the health check.
xenforo.com

XF 2.0 - How do I create hashes.json for changes in an addon

I paid a developer to create an addon for me and I have made changes to within the addon itself so the hashes.json file is all wrong. So I was wondering if someone could spell out for me in very simple terms how can I create a hashes.json file for the addon that now has the changes in it. Please...
xenforo.com xenforo.com
 
ozzy47 said:
Now I as a hacker get access to your site. I see you have files whitelisted from the health check.
Click to expand...
Well, if an attacker can gain access to the system and modify files at will, he can also just modify hashes.json or modify the code to whitelist the modified files - that doesn't really add much protection :)

That said, I agree that a whitelist isn't a that great idea but I can also understand the desire to have such a feature.
It's pretty much the same for any kind of logs and why we have tools like logcheck and it's ignore rules.

As far as optimized resources are concerned:
This can be dealt with by using clever server configuration - store the optimized resources in another place (add a suffix, use another directory, etc.) and point the server there (via alias, try_files, rewrite, etc.).
This way you can easily serve optimized resources while not touching the original files.

Btw: Compressing Add-on icons (eg. images referenced from addon.json) is really unnecessary - those are being served inline as base64 in backend only; do you care for those being optimized?
If you really do, even that would be possible with by extending \XF\AddOn\AddOn::getIconUri().

The whole src directory is set as deny from all via .htacess, so with a default setup nothing can be served from there directly.
And if Add-ons are servering resources from there, they are IMHO badly coded and must be fixed - resources should go to js and styles.
Therfore, I personally would not bother with src at all.

Doing this would cut down the modified files from the screenshot significantly.

The modified files from the screenshot are extendable classes, so I'd just write extensions for them to add the required changes.
 
Last edited:
Instead of whitelisting it, possibly have the option to ignore it to not see the message again, but, retain a copy of the newly edited file. Then, if it's edited again, show a warning with the last modification date so that it can be looked at again and quite possibly, in the same way, templates are, compare versions?

This would be better than whitelisting in my opinion as you can easily revert back to the "old" (your edit) or even back to the original (what ships with XF).
 
IMHO, that doesn't sound too bad :)
Though "even back to the original" would be difficult, this would require to keep a pristine copy of the whole tree.
That would be huge amount of overhead and IMHO not worth it.
 
Kirby said:
The whole src directory is set as deny from all via .htacess, so with a default setup nothing can be served from there directly.
And if Add-ons are servering resources from there, they are IMHO badly coded and must e fixed - resources should go to js and styles.
Therfore, I personally would not bother with src at all.
Click to expand...
The images in src are the icons that are displayed in the admin add-on list. They should be there if they exist and are picked up during add-in installation via the addon.json file's "icon": "icon.png".

While I understand the idea behind a white list, it goes against the whole idea behind the file hash check. It's there to notify people if a file becomes corrupt or is somehow changed. Creating a white list would generally allow any changes to the files that are in the white list, thus opening a point of possible attack via those files or allowing those files to become corrupt and the site admin would never have any idea that happened.

As @Kirby said there are other, better methods to change file contents. So far as images go, I would be more inclined to create new images and use a template modification (not edit the stock template itself) to point to the new images.
 
Snog said:
The images in src are the icons that are displayed in the admin add-on list. They should be there if they exist and are picked up during add-in installation via the addon.json file's "icon": "icon.png".
Click to expand...
Of course. I implicitly talked about "production" resources only, eg. images/js/fonts/whatever that an Add-on would use by itself for normal operation.

Template modifications might also work, but depending on how an Add-on references a resource (hardcoded in a file?) it might be difficult.
 
Kirby said:
IMHO, that doesn't sound too bad :)
Though "even back to the original" would be difficult, this would require to keep a pristine copy of the whole tree.
That would be huge amount of overhead and IMHO not worth it.
Click to expand...
Could be kept on XF servers and compared (hashes first to reduce bandwidth*), as updates are now pushed that way anyway.
 
Kirby said:
Of course. I implicitly talked about "production" resources only, eg. images/js/fonts/whatever that an Add-on would use by itself for normal operation.

Template modifications might also work, but depending on how an Add-on references a resource (hardcoded in a file?) it might be difficult.
Click to expand...
Well, if an add-on is modified, for now the easiest thing to do would be to completely remove the hashes.json file from the add-on folder. Then nothing will be checked for that add-on. ;)

OR, remove the file that's been modified from the add-on's hashes.json file (untested).
 
frm said:
Could be kept on XF servers and compared (hashes first to reduce bandwidth*), as updates are now pushed that way anyway.
Click to expand...
What about (paid) Add-ons?
XF would have to set up an infrastructure to keep original hashes for RM Add-ons (with dozens of versions) and authors offering Add-ons on their own website would have to maintan the same infrastructure as well.
 
ozzy47 said:
Exactly, that is why it is recommended not to edit files
Click to expand...
Unfortunately, the editing of addons can not be avoided. There are add-on developers who do not patch their addons (anymore), or only very late. There is nothing left for me to do but modify myself. In some cases it is also easy to debugging an addon and find a mistake yourself as a contact to the developer.
 
Masetrix said:
Unfortunately, the editing of addons can not be avoided. There are add-on developers who do not patch their addons (anymore), or only very late. There is nothing left for me to do but modify myself. In some cases it is also easy to debugging an addon and find a mistake yourself as a contact to the developer.
Click to expand...

It's best in this case to just make your own version of the mod.
 
Masetrix said:
Unfortunately, the editing of addons can not be avoided. There are add-on developers who do not patch their addons (anymore), or only very late. There is nothing left for me to do but modify myself. In some cases it is also easy to debugging an addon and find a mistake yourself as a contact to the developer.
Click to expand...
Vekseid said:
It's best in this case to just make your own version of the mod.
Click to expand...

Which is why you edit the addons on a development site, then build the addon, and upgrade the addon on the live site with the new files.

Then you don't need to whitelist the files, and they will show up if anyone else changes them.
 
First of all, thanks for your answers.
Setting up an environment for software development exceeds the time I can spend on it. Then there would be synonymous nor the problem with the compressed graphics files what one has to rebuild each hash individually.
To save this time we have purchased a fee-based forum software. (...)

Maybe just a way to disable the feature could be integrated. Tripwire does a good job on our server and can do whitelisting.
 

Similar threads

asprin
  • Solved
XF 2.1 Refix file health check results for addon files?
Replies
3
Views
505
digitalpoint
digitalpoint
Mian Shahid
  • Solved
XF 2.1 File health check problem, all JS files showing Unexpected contents
Replies
13
Views
2K
Taminoful
Taminoful
mcatze
Fixed Changing phrase in admin template tools_file_check
Replies
2
Views
2K
XF Bug Bot
XF Bug Bot
Romchik®
  • Suggestion Suggestion
Lack of interest File Health Check - can we see the unnecessary files too?
Replies
5
Views
817
Paul B
P
Back
Top Bottom