Skip to content

fix: add security layer to pluginApi #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: v0.0.x
Choose a base branch
from
Open

fix: add security layer to pluginApi #165

wants to merge 18 commits into from
+20,639 −20,269

Conversation

@GuiLeme
Copy link
Collaborator

@GuiLeme GuiLeme commented Apr 9, 2025
edited
Loading

What does this PR do?

This PR secures access to the pluginApi, ensuring that only the plugin itself can interact with it. It introduces a new pluginApiConstructor function, which is executed on the html5-client side and receives the pluginApi as a parameter—without exposing it via the global window object.

Before loading the plugin script, the html5-client checks if a function has already been injected into the window to hijack the pluginApi. If so, the script is blocked from loading. Otherwise, the plugin itself defines the function to access its API.

Motivation

Prevent unwanted behaviours from user.

More

Closely related to the PR from the CORE: bigbluebutton/bigbluebutton#22930

@GuiLeme GuiLeme force-pushed the security-check branch 2 times, most recently from efec135 to 78dbfa5 Compare April 9, 2025 22:37
@GuiLeme GuiLeme mentioned this pull request Apr 10, 2025
Draft
@github-actions
Copy link

github-actions bot commented Apr 28, 2025

This pull request has conflicts ☹
Please resolve those so we can review the pull request.
Thanks.

@Arthurk12 Arthurk12 self-requested a review May 5, 2025 15:28
Arthurk12
Arthurk12 suggested changes May 6, 2025
View reviewed changes
Copy link
Member

@Arthurk12 Arthurk12 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good regarding the feature itself. I tried hijacking the plugin constructor through the window object but couldn’t access the pluginApi function via the window, which is a good sign.

One suggestion I have concerns the security check in plugin constructors. Currently, this check depends on the plugin developer calling BbbPluginSdk.pluginApiSecurityCheck(uuid) in the correct place. So suggest encapsulating the common setup logic (including the security check) in a helper function—let’s say setupPlugin—provided by BbbPluginSdk. This would:

  • Ensure the security check is always performed correctly.
  • Reduce duplication and verbosity in plugin implementations.
  • Provide a centralized place in the SDK to add future checks or logic without needing to update individual plugins.

With this approach, plugin code would look like:

BbbPluginSdk.setupPlugin((pluginApi: PluginApi, pluginUuid: string, pluginElement: HTMLElement) => {
  const root = ReactDOM.createRoot(pluginElement);
  root.render(
    <SampleUserListItemAdditionalInformationPlugin
      pluginUuid={pluginUuid}
      pluginApi={pluginApi}
    />
  );
});

@github-actions
Copy link

github-actions bot commented May 14, 2025

This pull request has conflicts ☹
Please resolve those so we can review the pull request.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Arthurk12 Arthurk12 Arthurk12 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status: conflict

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GuiLeme @Arthurk12 @antobinary @TiagoJacobs