ComputerCraft - how to regulate api's

[Baaleos]

I am interested in turning on the http capabilities of computercraft on my server.
I can envision features such as being able to post in-game events to our community website etc
or even back and forth communication : write a server application that responds to ingame posts, and returns conditionals which can trigger complex mechanisms.

Ok that being said:
My understanding is this - http api allows post and get of Web URL's.
Is this not a little risky on multiplayer servers?

Http.Get is essentially downloading a URL.
Lets give an example of http://mynakedNursery.com
(made up name - but lets imagine it has inappropriate images on it that get the FEDs interested in you)

If players on a server had the ability to arbitrarily post / get from any URL, surely they could have your server effectively downloading kid porn, viruses, or anything else under the sun.


Is there a way to block certain URLS?s or mimetypes that computercraft can use in the http post/gets?

Eg: Make a request to admin to whitelist a URL/Domain.
Then the http post and get will work.
else - sorry : not allowed

or

Mime-type PHP / Aspx /Asp = Ok
Mime-Type : JPEG/MPEG / MP3 /AVI - Disallowed etc

 

[lenscas]

I don't think there is a real browser for CC (that being said people also make "full blown" operating systems for those things so who knows) and thus it can't show websites like your normal browser and instead shows the plain html. Then there is also the fact that CC can't at all work nicely with images and thus I doubt it can get one from the internet.
However I never tried much with the api myself so I might very well be wrong, my advice is to go into a single player with it enabled and play with it a bit yourself.

 

[Baaleos]

I am not specifically referring to making a browser.
But my current understanding of computercraft is that players can write lua scripts that could then be executed on the server they are playing.
One of which is the http api -
When you browse to a website, this is registered with your ISP as an http GET request, the website that you visit also sees the GET request.
So the http library in computercraft can do a simple GET request to a website url, and return the text from that URL. (html source code - from my understanding)

If a malicious person on your server was to make a computercraft computer with the http API - and told it to do an HTTP GET on http://phallic.shaped.cucumber.com
Your ISP, the Website, and potentially any authorities that may care - would only have visibility that YOU visited that website, because minecraft is acting like a proxy occluding the identity of the person/troll who made the request.
It does not matter if any meaningful content is returned to the troll - he could just do this as a means of getting peoples servers shutdown or banned.
Eg: If you are hosted with a premium provider of minecraft servers, and suddenly they see that you are doing GET requests to illegal websites - they are going to cover their asses by deleting your account.

I guess my concern here is that it would be nice to have computercraft http api enabled - but also moderate the content that is requested, to protect the server admin from potential illegal GET requests.

 

[lenscas]

I am not specifically referring to making a browser.
But my current understanding of computercraft is that players can write lua scripts that could then be executed on the server they are playing.
One of which is the http api -
When you browse to a website, this is registered with your ISP as an http GET request, the website that you visit also sees the GET request.
So the http library in computercraft can do a simple GET request to a website url, and return the text from that URL. (html source code - from my understanding)

If a malicious person on your server was to make a computercraft computer with the http API - and told it to do an HTTP GET on http://phallic.shaped.cucumber.com
Your ISP, the Website, and potentially any authorities that may care - would only have visibility that YOU visited that website, because minecraft is acting like a proxy occluding the identity of the person/troll who made the request.
It does not matter if any meaningful content is returned to the troll - he could just do this as a means of getting peoples servers shutdown or banned.
Eg: If you are hosted with a premium provider of minecraft servers, and suddenly they see that you are doing GET requests to illegal websites - they are going to cover their asses by deleting your account.

I guess my concern here is that it would be nice to have computercraft http api enabled - but also moderate the content that is requested, to protect the server admin from potential illegal GET requests.

I took a look at the config file for computer craft and I found something that might help you

# A semicolon limited list of wildcards for domains that can be accessed through the "http" API on Computers. Set this to "*" to access to the entire internet. Example: "*.pastebin.com;*.github.com;*.computercraft.info" will restrict access to just those 3 domains.
S:http_whitelist=*

 

[Baaleos]

Cool- I wasnt sure if it was possible to do with the current ComputerCraft - but I guess the hypothetical what-if scenarios above still apply for anyone who is considering doing a whitelist * in their config file.

 

[Azzanine]

That http function has historically been a tumultuous feature. I remember about a year ago people using it to make a crash script that continuously requested files from pastebin.
Led to servers outright disableing that feature.

Also your issue can't really be resolved without disabling the feature completely by default requireing an opt in.



Sent from my GT-I9100 using Tapatalk

 

[Baaleos]

I've set a wildcard on it so http requests can be made to my own website, but no others - so I can build web services that are accessible from within the server.