Mod Auditing Process
This is the process mod auditors follow when reviewing a new addition to the manifest.
Who Can Audit?
Anyone! The people auditing mods are volunteers, and all help is appreciated.
Pull Requests
- Submissions are pull requests on this repository that add a new mod or mod version
- Reviewers must download the linked artifact and perform a binary inspection
- At least one (preferably more) approval from a reviewer is mandatory before merging
- Mod authors cannot approve their own mods
Guidelines
Submissions must follow all guidelines.
Binary Inspection
The mod binary must be inspected in a decompiler for malicious code and other disallowed behavior.
Hash
Ensure the provided SHA256 matches the artifact.
Obfuscation
Ensure that the mod is not using any form of obfuscation.
Network usage
Network usage should be examined closely. Examine worst-case scenarios assuming servers are untrustworthy. Make sure remote users can’t force the mod user to hit arbitrary endpoints.
Relevant imports:
- System.Net
Filesystem usage
Ensure the mod isn’t reading or writing to files it shouldn’t. Watch out for path traversal vulnerabilities. Make sure remote users can’t force the mod user to read/write arbitrary files. Make sure the mod isn’t downloading executable code, including LogiX and/or components (from a non-neosdb source).
Relevant imports:
- System.IO
Process usage
Examine process invocation extremely closely. Why is this needed? Can it be abused to invoke arbitrary processes? Can remote users trigger this behavior?
Relevant imports:
- System.Diagnostics.Process
Dynamic code execution
Ensure the mod can’t execute arbitrary code, especially remotely. Ensure reflection can’t be abused to leak sensitive internal Neos state, such as the Neos authorization token.
Relevant imports:
- System.Reflection
- System.Runtime.CompilerServices
Denial of Service
While not a strict auditing requirement, keep an eye open for expensive operations a remote user could trigger. Vanilla Neos has plenty of ways to perform DoS attacks already, but if a mod is particularly easy to DoS it’s worth mentioning.
Performance
While not a strict auditing requirement, consider pointing out inefficiencies to the mod author.
Third Party Libraries
Well-known and widely-used third-party libraries can be assumed to be trustworthy and do not need auditing.
Poorly-known third-party libraries from unknown authors need auditing.
If You Are Uncertain
If you see something in a mod you’re uncertain about, please don’t hesitate to ask for a second opinion. Don’t approve a submission unless you’re 100% certain it’s safe.