Skip to content

Plugins Integrity Check

Jump to bottom
German Vekhorev edited this page Jul 9, 2021 · 6 revisions

About

Some malicious plugins that can't bypass Keiko themselves may exploit Keiko's exclusions system (especially when it comes to Domain Access Control) and inject their malware in plugins that you trust by modifying their code silently. For example, if you allow plugin 'ProtocolLib' to delete all files on your machine, other plugins may modify its JAR and insert their malicious code in it, which will, for example, delete your whole server on behalf of 'ProtocolLib'.

Keiko provides a solution for this: it can compare the actual SHA-512 checksums of your plugins with the checksums that they had last time you started your server, and abort server startup in case of mismatch. Simply said, a checksum of a file is a "code" that "describes" the contents of that file. If anything, even a single byte, inside that file changes, then a completely different checksum will be produced. Basically, this makes it possible to check if a file has been changed/corrupted without having to save the original copy of the file — just its checksum is enough.

Keiko uses files in the .artifacts folder to remember what your plugins should look like on next startup. This means that deleting that folder will make Keiko think that all the plugins on the server are freshly installed (which, in turn, will result in Keiko blindly saving the current checksums, without checking them).

Usage

When you run Keiko for the first time, it automatically remembers the checksums of all of your currently installed plugins. It also automatically remembers the checksums of new plugins that you install. Now suppose some malicious plugin or a fishy server admin with FTP access has infected one of your plugins (for example, ProtocolLib). The next time you start your server, Keiko will detect this change:

  • If you did not update ProtocolLib, then this warning means that it is strongly recommended to answer "no" (to abort server startup), delete ProtocolLib, and re-download it from the official source. After doing so, you'll probably still get this warning, because most-likely there've been some plugin updates since last time you downloaded it. This time, since you just re-downloaded the plugin from an official source, answer "yes", and let Keiko remember the new checksum of the plugin.
  • If you did update ProtocolLib recently, then simply answer "yes", and Keiko will remember the new, updated checksum of the reported plugin.

Please note that everywhere in this article, ProtocolLib was used simply as an example. None of these instructions are directly tied to this specific plugin.

Exclusions

You can exclude particular plugins by listing their name (as defined in their plugin.yml) in the integrity_exclusions list inside the inspections.yml configuration. This may be useful for plugins that often auto-update. But make sure you really trust these plugins in this case!

For example, to exclude ProtocolLib (not recommended!), use:

integrity_exclusions:
  - ProtocolLib

Can't find what you're looking for? Ask in Keiko's Discord server or open an issue on GitHub!

Clone this wiki locally