Potential security risk with download sub-command.

[yiyoperez]

Just noticed the recent update 1.0.3.0, which adds the new feature of a download sub-command.

Not long ago, many server owners suffered from CommandPanels's import command, which is similar to the download sub-command. This kind of feature, allowing direct downloading of third-party files presents an opportunity for attackers who could exploit it if they gain access to the command.

Some of these potential exploits are:

• Use the force argument to overwrite files and delete their current content.
• Forcing the server to endlessly fetch a download or overload it with a large file risking an out-of-memory scenario.
• Using menu action tags that could run commands in the console potentially performing harmful actions to the server or benefiting from these.
• Downloading multiple invalid files by doing this the next time those get loaded it will throw InvalidConfigurationException error logs and fill/spam the logs file/terminal/console.

Looks like you validating the file extension and forcing the download path to the downloads directory. 👍
I wasn't able to use traversal path attack but someone with more experience might/could do it.

Addressing this some of those exploits are.

• Exploiting path traversal to relocate the YAML file to an alternate location such as within another plugin's directory.
• Downloading a valid configuration file for another plugin and abusing it or an invalid configuration file that might disable the plugin.

The simplest solution would be to add an option in the config to disable/toggle the command and disable the feature by default preventing its usage since many server owners don't bother to read the wiki or even the update logs.

There may be other unknown potential issues, but the proposed solution should prevent some of the concerns described before.