Bug#791467: plowshare: javascript usage puts user at risk of remote code execution

[plowshare4-bug@discard.email]

Package: plowshare4
Version: 1.0.5-1
Severity: grave
Tags: security
 
(Rationale for severity grave: introduces a security hole
allowing access to the accounts of users who use the package.
plowshare4 is a command-line tool for downloading files from
cyberlocker-type sites. For some sites, this requires evaluating
snippets of javascript code, to this end the plowshare4 package
depends on rhino, a JVM-based javascript implementation.
 
According to the rhino documentation, the rhino command-line tool is
capable of loading arbitrary java classes, accessing the filesystem
and executing shell commands
(see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Shell ).
 
This has obvious security implications: If the individual plowshare4
download modules are not carefully implemented, a malicious download
site could emit javascript code which causes arbitrary commands to be
run on the user's system. Where the javascript is downloaded via http
rather than https, a malicious 3rd party (man-in-the-middle) could do
the same.
 
In order to prevent this, the javascript interpreter should be invoked
in such a way that the code is evaluated in a sandbox, i.e. loading
arbitrary java classes, accessing the filesystem and executing shell
commands are not possible. There does seem to be some support for this
in rhino, judging by the documentation
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Overview#Security
 
Moreover, the javascript code snippets should be filtered to check for
malicious code before being passed to the javascript interpreter;
ideally, any code that doesn't match a specific, known-good pattern
should be rejected.
 
Until these things have been implemented, I suggest disabling
javascript support in plowshare4 completely to prevent putting users
at risk.