Using Add-ons - Secure?
- Thread starter dosc
- Start date
Robbo
Well-known member
I could give you a list of developers I would trust but I'm not going to do it public.
With how XenForo is done you won't get any injection into the HTML unless a big mistake by the developer. However JavaScript needs additional, different, escaping done to it and I can see people missing that.
SQL injection looks unlikely.
With how XenForo is done you won't get any injection into the HTML unless a big mistake by the developer. However JavaScript needs additional, different, escaping done to it and I can see people missing that.
SQL injection looks unlikely.
The best way is to check the code of each addon you intend to install yourself. If you can't do it yourself, ask a coder to do it 4 u.
Sometimes there are small issues that can be solved easily with a few lines of codes. Sometimes addons simply should not be installed. Sometime addons are coded perfectly.
I agree with Robbo that this is highly dependent by whom it was coded. Some addon coders can be trusted blindly, because they know exactly what they are doing (Syndol for example), some coders can simply be disregarded. Most are learning and get better with each addon.
We do not install any addon at our live site which was not checked and tested and sometimes recoded by ourself.
Sometimes there are small issues that can be solved easily with a few lines of codes. Sometimes addons simply should not be installed. Sometime addons are coded perfectly.
I agree with Robbo that this is highly dependent by whom it was coded. Some addon coders can be trusted blindly, because they know exactly what they are doing (Syndol for example), some coders can simply be disregarded. Most are learning and get better with each addon.
We do not install any addon at our live site which was not checked and tested and sometimes recoded by ourself.
These points are totally valid, yet also concerning to me - especially being under the "are learning" category (and hopefully "get better" category).
Out of interest, do you guys contact authors who you feel are producing work that isn't up to scratch?
I'd much rather someone tap me on the shoulder and say "you know that add-on you've made is crap and full of holes" than blindly continue releasing work that isn't up to par.
Digital Doctor
Well-known member
Most addons are entirely safe.
Obviously addons that accept uploads and the like are riskier.
Let's not be fear mongering.
Obviously addons that accept uploads and the like are riskier.
Let's not be fear mongering.
Robbo
Well-known member
I have before posted about poor code and it got deleted because I didn't think of their feelings enough or some ****. Basic things which should never be done which make extending impossible. I'll put it this way, there are only like 5 peoples code I have seen here that has been by someone who knows OOP, MVC and basic code design.
If the bad developers weren't such arrogant little girls and/or the XenForo devs actually did something for devs then I would help more. I would have written multiple tutorials by now. I was even considering doing a review thing where I would review peoples add-ons (mainly in code) so they could improve and people would know if they were any good.
But the way it is right now. I have been trying to make a business out of XenForo add-ons and I am struggling to pay bills let alone eat. And no word in private or any other means from KAM on anything to help in any way of any sorts.
My views on XenForo staff. They code well, they innovate well, they have no idea how to handle a community and they have no interest in helping developers. No developer licenses, no warnings on releases, no early access to get add-ons ready before public release, template hooks system is terrible and they have even stopped adding new hooks, no indication at all on what is coming so we don't spend time making something that will be deprecated next release.
If I started on something and spent more than a week on it and they released something that made it useless I would most likely rage quit right there and move to some other software.
Hmm, well, personally I don't care about my feelings.
You have my written permission that if I do anything that isn't good you can say whatever you like about it publicly or otherwise
I'd rather know and learn and get better than cause more problems than I solve.
DarkSign
Active member
From my point of view, if the coder uses the XF MVC and don´t try to reinvent the wheel, then the add-on they code is as secure as XF itself.
For example, using the filters, validators, throwing exceptions from XF Exception classes... think XF first before any other solution. Go through the well-documented source code of XF. In my case, for example, when I was first learning, I wanted to do it right for the very first time I tried it. I wasn´t even planning on be a community developer, I was coding add-ons just for my friend´s forum, but still, I was observing the good principles, and I had a lot of help from other coders, and so I could shape my code at such way that I wouldn´t break the XF MVC and instead would take the advantage of the well-established system.
For instance, take for example the SQL Injection problem. If a coder uses its own SQL code, and native PHP calls to mysqli methods, THAT could be such a problem. But now if the coder looked carefully at other add-ons, and the XF itself, they will notice XF holds a reference for the DB class, that can be instantiated, and then they will use the SQL calls from that class.
In resume, if observed the good OO principles, and using XF MVC as correctly as you can, then the add-on itself will be as safe as XF itself.
For example, using the filters, validators, throwing exceptions from XF Exception classes... think XF first before any other solution. Go through the well-documented source code of XF. In my case, for example, when I was first learning, I wanted to do it right for the very first time I tried it. I wasn´t even planning on be a community developer, I was coding add-ons just for my friend´s forum, but still, I was observing the good principles, and I had a lot of help from other coders, and so I could shape my code at such way that I wouldn´t break the XF MVC and instead would take the advantage of the well-established system.
For instance, take for example the SQL Injection problem. If a coder uses its own SQL code, and native PHP calls to mysqli methods, THAT could be such a problem. But now if the coder looked carefully at other add-ons, and the XF itself, they will notice XF holds a reference for the DB class, that can be instantiated, and then they will use the SQL calls from that class.
In resume, if observed the good OO principles, and using XF MVC as correctly as you can, then the add-on itself will be as safe as XF itself.
Robbo
Well-known member
Err what? Just because you make something OO and use MVC (which this doesn't follow strict MVC anyway) doesn't mean your code is going to be secure... security is about knowing how to program on the web, knowing what to do. It has nothing to do with the style. You have basically described the main flaw in PHP. People think their code is secure.
You have to know how code gets exploited to be secure... using objects isn't anymore secure than useing procedural programming. And the main security issues, which I pointed out, will come because of the auto escaping XenForo does which will make people think their templates are fine but when in JS context they are required to do addiontal escaping.
You have to know how code gets exploited to be secure... using objects isn't anymore secure than useing procedural programming. And the main security issues, which I pointed out, will come because of the auto escaping XenForo does which will make people think their templates are fine but when in JS context they are required to do addiontal escaping.
DarkSign
Active member
Ermm... I know that using OO and MVC only doesn´t mean any security. That is just a way to do things like you said. I meant more like "use the right tool for the right job". So, if you are coding an add-on for XenForo, then use all XenForo has to offer. Use their style to do things, so that you can minimize your own flaws. In no way any code is 100% secure, that simply doesn´t exist 
And I was talking about only in the PHP level indeed. I agree about proper escaping with JS.
And I was talking about only in the PHP level indeed. I agree about proper escaping with JS.
Robbo
Well-known member
Generally if you look at the code of an add-on and it looks similar to XenForo code it can probably be trusted. There are a lot of terribly made add-ons here, I would say at least 70%. Simply because people have come from poor OO or procedural platforms and don't have a clue about code design.Ermm... I know that using OO and MVC only doesn´t mean any security. That is just a way to do things like you said. I meant more like "use the right tool for the right job". So, if you are coding an add-on for XenForo, then use all XenForo has to offer. Use their style to do things, so that you can minimize your own flaws. In no way any code is 100% secure, that simply doesn´t exist
And I was talking about only in the PHP level indeed. I agree about proper escaping with JS.
The mistake we see very often is that addon developers do not think about scalability at all.
Addons work well on their small test systems with 2 users and are released proudly.
If someone uses it at a live web site with more than some occasional users the forum breaks down completely.
Addons work well on their small test systems with 2 users and are released proudly.
If someone uses it at a live web site with more than some occasional users the forum breaks down completely.
Digital Doctor
Well-known member
Excellent point.
But .... does anyone know ANY examples where this was true ?
I think the Tags addon might qualify, but that seemed to have 1 query per tag, which was of course going to be an issue (predictable).
Any other addons with a scalability issue ?
I certainly think the Big Boards need to have their own list of scalable addons.
Digital Doctor
Well-known member
Good point. If your site is that big, you probably should pay for high performance.
Excellent point.
But .... does anyone know ANY examples where this was true ?
I think the Tags addon might qualify, but that seemed to have 1 query per tag, which was of course going to be an issue (predictable).
Any other addons with a scalability issue ?
I certainly think the Big Boards need to have their own list of scalable addons.
It is not the count of queries that matters that much. It is more the type of query that matters. If you do queries joining the whole user and the whole post table each time your addon is called you create a DoS at each installation with more than a couple of congruent users... Not only at big boards..
In fact most of the big boards have own coders to check and recode all installed addons. Most addons we have installed are recoded.
