Question about JSON Requests

Discussion in 'BukkitDev Information and Feedback' started by mrCookieSlime, Jan 15, 2017.

Thread Status:
Not open for further replies.
  1. Offline

    mrCookieSlime Retired Staff

    Good day,

    we haven't met for a while now.
    So, I recently had an idea I wanted to incorporate in some of my plugins but I am concerned whether this feature would comply with the BukkitDev Submission guidelines.

    If I remember correctly, staff always rejected any Plugin that communicates to websites via HttpConnection except for Curse-powered sites itself.

    I would like to get a staff member's opinion on whether retrieving information from GitHub's JSON API would comply with the guidelines.
    Since I retired from Plugin Development, I made most of my plugins Open-Source on GitHub.
    And I would like to properly credit everybody who contributed to the source of these Plugins.
    (Adding onto the plugin.yml is too annoying and it gets too long at some point)
    GitHub has this very neat way of giving you repository data like this:
    https://api.github.com/repos/TheBusyBiscuit/Slimefun4/contributors

    So I am asking whether this is fine with the guidelines, it does download a file from a non-curse site and therefore cannot be checked by curse, that is true.
    But the file content is computer-generated by one of the most well-known source platforms on the internet and the authors themselves have no influence on what data is sent anyway...

    Offtopic:
    I retired in August 2016. Can a member of staff please change my rank to "Retired Staff" now? XD
     
  2. Offline

    timtower Ninja on the waves Moderator

    @mrCookieSlime They do allow such requests, I believe it was more related to downloads (especially jars)
    And that json can be parsed without creating a new file.

    And notified the other staff about this ;) They can probably give a better answer.
     
    mrCookieSlime likes this.
  3. Offline

    Tecno_Wizard

    @mrCookieSlime, you're not alone on this. I've been wanting to make a remote update check to github pages instead of using the pretty limited Curse API. Now, obviously the download would be pointing to the Curse site, but it would be great if I could host some JSON strings with changelogs instead of just printing "An update is available". I'd love to be able to print "An update is available at [JSON link to curse]. /plugin update for a full changelog" or "A critical-bug fixing update is available at..."
     
  4. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    To answer how past-staff would have:

    Grabbing a contributors list off-site would have been fine. Our "gotta talk to BukkitDev" external connection requirement is for avoiding plugins that pull an update string from off-site. For example, in @Tecno_Wizard 's idea he could replace put on his updating info site "An update is available at http://sketchy.site/malware.jar" and that message would be displayed to admins who could then end up with malware on their server. We wouldn't allow anything related to updates to come from anywhere but BukkitDev.

    Of course, this is up to Curse at this point but I wanted to shed some light on the reasoning for the rules as written. :)
     
    timtower and mrCookieSlime like this.
  5. Offline

    ZeldoKavira Administrator Curse

    This would be fine, we don't have any issues as long as you're not sending off server info or downloading jars, executables, ect.
     
    bwfcwalshy and mrCookieSlime like this.
  6. Offline

    mrCookieSlime Retired Staff

    Yes but I intentially said "downloading" here since GitHub's API may be unreachable at some point, uptime is not guaranteed, so I would love to cache the data on the server's disk for these events.

    Thank you for shining some light on this, this is very good news.
    And no I do not intend to send data or download any complex files, literally just going to pull a .json file and that's it.
     
    timtower likes this.
  7. Offline

    Tecno_Wizard

    @mbaxter, you misinterpreted a little bit. The download link would be static, pointing to the BukkitDev site. That link would not be pulled off GH pages, but built into the plugin itself. I'd just be fetching something resembling this, however, I understand that there is still risk in this, and I understand if it isn't allowed.

    Code:
    {
      "0": {
        "version_string": "1.0.1",
        "is_critical": false,
        "change_log": "* Fixed bugs"
      },
      "1": {
        "version_string": "1.1",
        "is_critical": true,
        "change_log": "* Fixed a bug that could corrupt player files"
      }
    }
    
     
    Last edited: Jan 16, 2017
  8. Offline

    mrCookieSlime Retired Staff

    I can think of multiple reasons why pulling strings from the web can be malicious.

    "VISIT MY SERVER XYZ"
    "CLICK THIS SHORTENED LINK (link)"
    "DOWNLOAD TOTALLY UNSUSPICIOUS FILE HERE (link)"
    "VOTE TRUMP"

    Messages from other sources than the source code are always a potential threat. Curse has no way to check what you put inside these messages.
     
  9. Offline

    Tecno_Wizard

  10. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    @Tecno_Wizard

    A potential solution that allows you to fetch to determine info without risking malicious messages: Have a series of pre-built descriptions. Major bug fix, security fix, minor bug fix, feature update, etc. Then, pull info that simply tells your plugin to display one or more of those messages.
     
  11. Offline

    Tecno_Wizard

    @mbaxter, okay, I'm amazed I didn't think of that!
     
Thread Status:
Not open for further replies.

Share This Page