Allow Extension URLs to load unsandboxed

JeremyGamer13 · JeremyGamer13 · commit 2aca02e7c259 · 2024-10-26T21:54:45.000-06:00
This may sound like a really bad change to make, however I have some reasons as to why I believe this is perfectly fine:
1. Why is it fine to load text unsandboxed?
There's no difference between a URL extension loading unsandboxed and a text extension using eval to load all of it's code from another website.
2. Sharing &amp; updating convenience
If I made an extension and already had it hosting perfectly fine, I would rather share the link to that hosting than tell everyone to download it and keep coming back to the website incase there is an update. Again, malicious updates would still be possible if a file-loaded extension just used eval &amp; fetch to run all of it's code.
diff --git a/src/components/custom-procedures/custom-procedures.jsx b/src/components/custom-procedures/custom-procedures.jsx
@@ -4,7 +4,7 @@ import Modal from '../../containers/modal.jsx';
 import Box from '../box/box.jsx';
 import { defineMessages, injectIntl, intlShape, FormattedMessage } from 'react-intl';
 
-import plusIcon from './icon--plus.svg';
+import dropperIcon from './icon--dropper.svg';
 
 import booleanInputIcon from './icon--boolean-input.svg';
 import textInputIcon from './icon--text-input.svg';
@@ -153,7 +153,7 @@ const BlockColorSection = props => (
                     onChange={props.onBlockColorChange}
                 />
                 <img
-                    src={plusIcon}
+                    src={dropperIcon}
                     className={styles.customPlus}
                 />
             </div>
diff --git a/src/components/custom-procedures/icon--dropper.svg b/src/components/custom-procedures/icon--dropper.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="20px" height="20px" viewBox="0 0 20 20" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="eye-dropper" fill="#FFFFFF">
+            <path d="M9.15334605,12.4824962 C9.03394044,12.6188737 8.88041895,12.7041096 8.60749186,12.7722983 C7.90811618,12.925723 7.24285639,13.5564688 7.03816107,14.2554033 C6.9699293,14.4770167 6.74817603,14.7156773 6.50936483,14.8350076 L4.73533871,15.6703196 C4.650049,15.704414 4.58181722,15.7214612 4.54770134,15.7214612 L4.27477424,15.4657534 C4.27477424,15.4487062 4.27477424,15.3805175 4.32594807,15.2611872 L5.1617873,13.4712329 C5.26413496,13.2496195 5.50294617,13.0280061 5.74175737,12.9598174 C6.44113305,12.738204 7.07227696,12.090411 7.25991433,11.2380518 C7.29403022,11.1016743 7.37931994,10.9652968 7.49872554,10.8289193 L11.4391105,6.90806697 L13.093731,8.56164384 L9.15334605,12.4824962 Z M16.6076673,5.28858447 C16.8635365,5.03287671 17,4.67488584 17,4.33394216 C17,3.99299848 16.8635365,3.65205479 16.6076673,3.39634703 C16.0788711,2.86788432 15.2430318,2.86788432 14.7142356,3.39634703 L13.2301945,4.87945205 L13.0596151,4.70898021 L12.5137609,4.16347032 C12.172602,3.82252664 11.6096899,3.82252664 11.268531,4.16347032 L10.6032712,4.81126332 C10.2791703,5.152207 10.2621124,5.64657534 10.5520974,5.98751903 L6.59465454,9.92541857 C6.30466951,10.2322679 6.09997418,10.5902588 5.98056858,11.1016743 C5.92939475,11.357382 5.63940971,11.6471842 5.36648262,11.7324201 C4.80357049,11.9028919 4.2577163,12.3802131 4.00184715,12.9427702 L3.16600792,14.7156773 C2.89308083,15.3123288 2.9613126,15.9260274 3.33658736,16.3181126 L3.67774623,16.6590563 C3.89949949,16.8806697 4.20654247,17 4.54770134,17 C4.7694546,17 5.02532375,16.9318113 5.26413496,16.8295282 L7.05521901,15.9942161 C7.61813114,15.7214612 8.09575356,15.1929985 8.26633299,14.6304414 C8.33456477,14.3576865 8.64160775,14.0678843 9.05099839,13.9826484 C9.4092152,13.8974125 9.76743201,13.6928463 10.057417,13.385997 L14.0148599,9.44809741 C14.3560188,9.73789954 14.8677571,9.70380518 15.1748001,9.37990868 L15.8400599,8.73211568 C16.1812187,8.39117199 16.1812187,7.82861492 15.8400599,7.48767123 L15.2600898,6.90806697 L15.1236262,6.7716895 L16.6076673,5.28858447 Z" id="eye-dropper-icon"></path>
+        </g>
+    </g>
+</svg>
diff --git a/src/components/custom-procedures/icon--plus.svg b/src/components/custom-procedures/icon--plus.svg
diff --git a/src/components/tw-custom-extension-modal/custom-extension-modal.jsx b/src/components/tw-custom-extension-modal/custom-extension-modal.jsx
@@ -181,17 +181,20 @@ const CustomExtensionModal = props => (
                             />
                         </p>
                     )}
-                    <p>
-                        <FormattedMessage
-                            // eslint-disable-next-line max-len
-                            defaultMessage="Your browser may not allow PenguinMod to access certain sites. If this is causing issues for you, try loading from a file or text instead."
-                            description="Message that appears in custom extension prompt"
-                            id="pm.customExtensionModal.corsProblem"
-                        />
-                    </p>
                 </React.Fragment>
             )}
 
+            {props.type === 'url' && (
+                <p>
+                    <FormattedMessage
+                        // eslint-disable-next-line max-len
+                        defaultMessage="Your browser may not allow PenguinMod to access certain sites. If this is causing issues for you, try loading from a file or text instead."
+                        description="Message that appears in custom extension prompt"
+                        id="pm.customExtensionModal.corsProblem"
+                    />
+                </p>
+            )}
+
             <label className={styles.checkboxContainer}>
                 <FancyCheckbox
                     className={styles.basicCheckbox}
diff --git a/src/containers/extension-library.jsx b/src/containers/extension-library.jsx
@@ -135,7 +135,7 @@ class ExtensionLibrary extends React.PureComponent {
         }
     }
 
-    handleItemSelect(item) {
+    async handleItemSelect(item) {
         // eslint-disable-next-line no-alert
         // if (item.incompatibleWithScratch && !confirm(this.props.intl.formatMessage(messages.incompatible))) {
         //     return;
@@ -158,8 +158,12 @@ class ExtensionLibrary extends React.PureComponent {
             return;
         }
         const url = (item.extensionURL ? item.extensionURL : extensionId);
-        if (item._unsandboxed && url.startsWith("data:")) {
-            manuallyTrustExtension(url);
+        if (item._unsandboxed) {
+            if (url.startsWith("data:")) {
+                manuallyTrustExtension(url);
+            } else {
+                await this.props.vm.securityManager.canLoadExtensionFromProject(url);
+            }
         }
         if (!item.disabled) {
             if (this.props.vm.extensionManager.isExtensionLoaded(extensionId)) {
diff --git a/src/containers/tw-custom-extension-modal.jsx b/src/containers/tw-custom-extension-modal.jsx
@@ -6,7 +6,7 @@ import log from '../lib/log';
 import localforage from 'localforage';
 import CustomExtensionModalComponent from '../components/tw-custom-extension-modal/custom-extension-modal.jsx';
 import {closeCustomExtensionModal} from '../reducers/modals';
-import {manuallyTrustExtension, isTrustedExtension} from './tw-security-manager.jsx';
+import {manuallyTrustExtension, isTrustedExtension, isTrustedExtensionOrigin} from './tw-security-manager.jsx';
 
 const generateRandomId = () => {
     const randomChars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
@@ -125,7 +125,7 @@ class CustomExtensionModal extends React.Component {
         this.handleClose();
         try {
             const url = await this.getExtensionURL();
-            if (this.state.type !== 'url' && this.state.unsandboxed) {
+            if (this.state.unsandboxed) {
                 manuallyTrustExtension(url);
             }
             if (this.props.swapId) {
@@ -220,12 +220,15 @@ class CustomExtensionModal extends React.Component {
     }
     isUnsandboxed () {
         if (this.state.type === 'url') {
-            return isTrustedExtension(this.state.url);
+            if (isTrustedExtensionOrigin(this.state.url)) return true;
         }
         return this.state.unsandboxed;
     }
     canChangeUnsandboxed () {
-        return this.state.type !== 'url';
+        if (this.state.type === "url" && isTrustedExtensionOrigin(this.state.url)) {
+            return false;
+        }
+        return true;
     }
     handleChangeUnsandboxed (e) {
         this.setState({
diff --git a/src/containers/tw-security-manager.jsx b/src/containers/tw-security-manager.jsx
@@ -16,11 +16,11 @@ const manuallyTrustExtension = url => {
 };
 
 /**
- * Trusted extensions are loaded automatically and without a sandbox.
+ * Trusted URL origins are allowed to load extensions without a sandbox automatically.
  * @param {string} url URL as a string.
  * @returns {boolean} True if the extension can is trusted
  */
-const isTrustedExtension = url => (
+const isTrustedExtensionOrigin = url => (
     // Always trust our official extension repostiory.
     url.startsWith('https://extensions.turbowarp.org/') ||
     url.startsWith('https://extensions.penguinmod.com/') ||
@@ -37,8 +37,14 @@ const isTrustedExtension = url => (
     url.startsWith('http://localhost:5173') || // Local Home or Extensions
     url.startsWith('http://localhost:5174') || // Local Home or Extensions
 
-    extensionsTrustedByUser.has(url)
+    false // ignore this, just makes copy & paste easier
 );
+/**
+ * Trusted extensions are loaded automatically and without a sandbox.
+ * @param {string} url URL as a string.
+ * @returns {boolean} True if the extension can is trusted
+ */
+const isTrustedExtension = url => (isTrustedExtensionOrigin(url) || extensionsTrustedByUser.has(url));
 
 /**
  * Set of fetch resource origins that were manually trusted by the user.
@@ -284,8 +290,10 @@ class TWSecurityManagerComponent extends React.Component {
             return true;
         }
         const { showModal } = await this.acquireModalLock();
-        // for backwards compatibility, allow urls to be unsandboxed
-        // if (url.startsWith('data:')) {
+
+        // we allow all urls to be unsandboxed.
+        // its very likely that people would load any file unsandboxed anyways, theres no safety in blocking it for urls only.
+        // when a file is unsandboxed it can request any website anyways, so its not like its preventing remote updates either.
         const allowed = await showModal(SecurityModals.LoadExtension, {
             url,
             unsandboxed: true,
@@ -304,11 +312,6 @@ class TWSecurityManagerComponent extends React.Component {
             };
         }
         return allowed;
-        // }
-        // return showModal(SecurityModals.LoadExtension, {
-        //     url,
-        //     unsandboxed: false
-        // });
     }
 
     /**
@@ -502,5 +505,6 @@ const ConnectedSecurityManagerComponent = connect(
 export {
     ConnectedSecurityManagerComponent as default,
     manuallyTrustExtension,
-    isTrustedExtension
+    isTrustedExtension,
+    isTrustedExtensionOrigin
 };

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ class ExtensionLibrary extends React.PureComponent {`
`135`	`135`	`}`
`136`	`136`	`}`
`137`	`137`
`138`		`- handleItemSelect(item) {`
	`138`	`+ async handleItemSelect(item) {`
`139`	`139`	`// eslint-disable-next-line no-alert`
`140`	`140`	`// if (item.incompatibleWithScratch && !confirm(this.props.intl.formatMessage(messages.incompatible))) {`
`141`	`141`	`// return;`
`@@ -158,8 +158,12 @@ class ExtensionLibrary extends React.PureComponent {`
`158`	`158`	`return;`
`159`	`159`	`}`
`160`	`160`	`const url = (item.extensionURL ? item.extensionURL : extensionId);`
`161`		`- if (item._unsandboxed && url.startsWith("data:")) {`
`162`		`- manuallyTrustExtension(url);`
	`161`	`+ if (item._unsandboxed) {`
	`162`	`+ if (url.startsWith("data:")) {`
	`163`	`+ manuallyTrustExtension(url);`
	`164`	`+ } else {`
	`165`	`+ await this.props.vm.securityManager.canLoadExtensionFromProject(url);`
	`166`	`+ }`
`163`	`167`	`}`
`164`	`168`	`if (!item.disabled) {`
`165`	`169`	`if (this.props.vm.extensionManager.isExtensionLoaded(extensionId)) {`