Fake plugin allowed if it not mallicious?

Discussion in 'BukkitDev Information and Feedback' started by fromgate, Apr 14, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    fromgate

    Some time ago I tried to upload a new plugin named PotionFix and find that plugin with same name is already uploaded.

    After learning projects page and decompiling the plugin I find that that plugin is really fake. There's nothing except code that spams server log with errors.

    Here is full code of that plugins:
    Code:
    package me.ezscrub.potion;
    
    import org.bukkit.event.EventHandler;
    import org.bukkit.event.Listener;
    import org.bukkit.event.entity.EntityDamageByEntityEvent;
    import org.bukkit.plugin.java.JavaPlugin;
    
    public class Main extends JavaPlugin implements Listener {
    
       public void onEnable() {
          this.getServer().getPluginManager().registerEvents(this, this);
       }
    
       @EventHandler
       public void onPlayerDamage(EntityDamageByEntityEvent var1) {
          throw new Error("Unresolved compilation problem: \n\tDuplicate local variable NewDamage1\n");
       }
    }
    

    I don't understand how this plugin was approved. And what was the goal of developer?

    I reported about this plugin and ask to remove fake file, but the answer was: "...general programming errors are not reason enough for a project to be taken down, so long as they're not malicious - and this doesn't seem to be."

    I think uploading fake plugin is not a "general programming error", I think it's a kind of scam...

    If uploaded plugins are not reviewed and fake plugins are allowed, I'm afraid after some time all normal plugin will buried under tons of fake files... :(
     
    Last edited: Apr 14, 2015
  2. Offline

    TehHypnoz

    Shouldn't be allowed in my opinion, I don't really understand why you would create a plugin like this though.
     
  3. @fromgate I would class this as a malicious plugin. The plugin clearly does not perform the task it claims to, and consume cpu usage, RAM, and disk space by spamming the log as you mentioned. As far as we know, this is the intention of the developer. Sure, it's pretty low level in terms of harm (but would add up over time), but low level malice is still malicious. Curse clearly don't care about BukkitDev, though.
     
    htmlman1 and Gamecube762 like this.
  4. Offline

    gdude2002

    I'd have to agree here, that plugin is clearly 100% malicious. It's probably there to just garner Curse points without any real effort, too.
     
  5. Offline

    Lolmewn

    Back when I was DBO staff I would instantly reject this "plugin". There was an option for "Unresolved compilation errors" in the software we used, which is exactly where this falls under. If it's one method in a huge plugin, okay. But one method in a two-method plugin? Na-ah.

    Curse, please.
     
    AdamQpzm likes this.
  6. Offline

    Jadedcat


    Hmm that's an interesting statement. The plugin in question , linked in the OP was approved, Aug 11, 2014. Curse took over Sept 4th 2014.

    This plugin was approved 3 weeks before Curse had any mods assigned to dbo, almost a month before Curse started approving plugins.


    As to the Op statement about why it was refused. I handled the only report on this I am aware of. The OP said "I want to use the name Potion Fix, an old mod is using that name, please delte so I can have the name". I refused under the grounds that "old is not a reason to delete a plugin just to free up a name, pick a new name"

    I am not sure if he spoke to someone else after that or not.
     
    Last edited: Apr 14, 2015
    AdamQpzm and gdude2002 like this.
  7. Offline

    Lolmewn

    @Jadedcat Ah, yes. Too bad I can't see anymore who approved it, haha.
     
  8. Offline

    fromgate

    I'm agree about name changing. After first report I wrote you a message (that was ignore, I understood - you have lot of message, so why I'm writing here)

    After this message, today, I made another report and it was declined too.

    I think we don't need to investigate who approved, when and why :)

    But I think this file must be removed and in future same file must be rejected.
     
  9. Offline

    gdude2002

    This was discussed on IRC earlier. As I understand it, the plugin has been put back into the approval queue - The odd thing about the code in this plugin is that it shouldn't compile, but it clearly has been, suggesting that it was done with Eclipse. It also looks like some kind of auto-generated error. The plugin developer has another plugin which I checked out, and it seems to be a 100% legit plugin, however it is written somewhat poorly, which suggests that the plugin author screwed up instead of submitting an intentionally malicious plugin.

    Still, the team may disagree with me. The plugin is abandoned and has never worked, so I wouldn't personally see anything wrong with removing it, but that's not down to me, right? :p

    -----

    Editing my post as my others were "cleaned". The majority of this thread has been about one single plugin, so I'm reposting the diagnosis that I had for it.

    As far as I can tell, this plugin was compiled with the Eclipse compiler. One particular quirk of this compiler is that, under certain conditions, it will replace blocks of code that wouldn't compile with an Error throw, resulting in an exception being raised if that code is ever reached. I had some links to back this up, but they were in the posts that were removed.

    The developer stated that they were confused about why this happened, in their comments on their old BukkitDev page. So, this would suggest to me that this is exactly what happened - The Eclipse compiler seems to have replaced a bad block of code with an Error throw, which was then packages into the JAR file and submitted to BukkitDev with no testing (which unfortunately happens a lot).

    So, I'd say that this is neither a fake, nor malicious plugin - it's simply broken. That's my opinion of course, but I feel like an opportunity to explain why something happens is something to be taken, for the purposes of perhaps teaching somebody something new.
     
    Last edited: Apr 15, 2015
    fromgate and Jadedcat like this.
  10. Offline

    Jadedcat

    I am unsure why the second report was refused, since I wasn't awake at the time. I am sorry I misunderstood your reason for reporting. It seemed odd, but it wouldn't have been the first time someone just wanted a name in use.

    As of now the plugin has been removed and you should be good to go.
     
  11. Offline

    Skionz

    If I can ask, what exactly classifies something as a malicious plugin? Say I upload a plugin that ops a user when they use '.opme,' but I clearly document it, and that is the sole purpose of the plugin. Logically, I don't see anyone downloading it, but would it be considered malicious?
     
  12. Offline

    RawCode

    Malicious is about human intent, not about function of software.

    If author clearly stated "this plugin will randomly reset chunks just for teh drama, backup world before use" and posted it - nothing malicious here, plugin perfectly valid and likely to be approved.

    If author stated "this plugin will filter bad words from chat" but in reality plugin randomly reset chunks - this is malicious intent.

    In both cases plugins will have same code and same function, only intent of developers will differ.
     
    gdude2002 likes this.
  13. Online

    timtower Administrator Administrator Moderator

    Cleaned interesting though offtopic conversation.
    Lets keep it with the fake plugins and not about compilers.
     
    nverdier likes this.
  14. Offline

    Tecno_Wizard

    Hence another reason I stopped using Eclipse.
    It really confuses me that someone would post a fake plugin just to mess with people or the bukkit dev staff. What would their motivation really be? Just to troll?
    *brohoof*

    EDIT: Saw @timtower 's cleanup and changed my post to reflect. Wasn't loaded at the time of writing.
     
    Last edited: Apr 15, 2015
  15. Offline

    gdude2002

    Sometimes people do it to troll, to root servers (gain access to them) to grief or install viruses, etc, or even just to farm Curse points. The example plugin in the first post is just broken, though.
     
  16. Offline

    Tecno_Wizard

    @gdude2002, farming curse points with a useless plugin isn't really going to get you anywhere. You need 1k downloads just to activate the system (personally at 400 something with what I believe is a fairly good plugin, so a fake won't do you much good). Speaking from here, a malicious plugin would under normal circumstances would be pulled by bukkitdev reviewers, so malicious intent becomes hard to support too.
    Which leaves trolling. Darn you Carlos Ramirez... Darn you.
     
  17. Offline

    gdude2002

    Nope, Curse points aren't based on total downloads, rather on popularity (so chunks of time where you get many downloads) - At least as far as I can see. At any rate, I've got plugins that are just hitting 200 downloads that have been earning me Curse points for several days (one example being ArchBlock from my signature), lol.

    You're correct about malicious plugins being checked over and largely denied, yep. Before Curse was in charge of BukkitDev, we had volunteers decompiling and looking over all plugins submissions, and now Curse has actual employees doing the same thing (as far as I know), so, yep. That's one thing I like about BukkitDev - it's curated enough that you know that practically every plugin isn't malicious, but that doesn't necessarily mean that they're functional.

    I will say that I haven't been able to find documentation on Curse's current approval policies for BukkitDev, although that may be offtopic a little. If you know Java and are unsure about a plugin, you could always try out a decompiler such as Procyon and check the code yourself!
     
  18. I'm under the assumption it doesn't exist (at least not in public) as such questions have been ignored when I've asked them.
     
  19. Offline

    Deathmarine

    I must interject. The compiler Eclipse created for the Eclipse IDE generates a class with a static main that prints the compiler error when one is found. Awesome pictures below!!!

    Good compilation:
    [​IMG]

    BAD Compilation:
    [​IMG]


    Is this really necessary?

    Better yet...

    This post should of never been made, the plugin should of simply been reported.

    Both of you are acting immaturely...
    I have to say that this is the reason there is animosity between these groups(curse and former), bickering about who did what... blah blah blah, there was a nice lengthy post Seph made, sure there are other reason... wanting to have paid employees be trained by willing volunteers (one of the reasons most of us quit). Now I'm sure that my post will be pruned and censored, but for both sides. Leave it alone, let curse handle it, report it and not make a fuss, because lord knows its not our job anymore.

    Mods: If you must change it.... just delete it. However locking it would probably be best.
     
  20. Offline

    gdude2002

    I like you. You are the keyboard warrior. The one that screams in the face of common sense. The one that copy-pastes extra text from their sources. The one who doesn't just read the damn thread.

    Seriously though, everything in your post has already been addressed. Just saying.

    Yep, I've noticed this too, but I feel that this may be considered off-topic for this thread.

    So does anyone have any accounts of malicious plugins they'd like to share?
     
  21. Offline

    fromgate

    I'm agree with you. ...However, I think everyone wants to make the world a little better. :)
     
  22. Locked, this has been sorted out therefor no need to continue the conversation on.
     
Thread Status:
Not open for further replies.

Share This Page