Summary
Plugin DLLs are loaded from the plugins directory with zero integrity verification. Any .dll file matching the manifest key gets loaded into a CollectibleAssemblyLoadContext with full access to app services, database, filesystem, and network.
Affected Files
| File |
Detail |
src/SharpSite.Web/PluginManager.cs:99-109 |
Plugin DLL loading with no validation |
src/SharpSite.Plugins/PluginAssemblyLoadContext.cs |
No restrictions on loaded assemblies |
Risk
A malicious plugin gets full application-level trust. No code signing, hash verification, or publisher validation exists.
Recommended Fix (Phased)
Phase 1 Assembly Name Validation (Quick win): Validate assembly name matches manifest ID + SHA-256 hash verification.
Phase 2 Plugin Sandboxing: Permission manifest restricting plugin capabilities.
Phase 3 Code Signing (Long-term): Publisher certificate chain verification.
Estimated Effort
Phase 1: 4-6 hours | Phase 2: 2-3 days | Phase 3: 1 week
Summary
Plugin DLLs are loaded from the plugins directory with zero integrity verification. Any
.dllfile matching the manifest key gets loaded into aCollectibleAssemblyLoadContextwith full access to app services, database, filesystem, and network.Affected Files
src/SharpSite.Web/PluginManager.cs:99-109src/SharpSite.Plugins/PluginAssemblyLoadContext.csRisk
A malicious plugin gets full application-level trust. No code signing, hash verification, or publisher validation exists.
Recommended Fix (Phased)
Phase 1 Assembly Name Validation (Quick win): Validate assembly name matches manifest ID + SHA-256 hash verification.
Phase 2 Plugin Sandboxing: Permission manifest restricting plugin capabilities.
Phase 3 Code Signing (Long-term): Publisher certificate chain verification.
Estimated Effort
Phase 1: 4-6 hours | Phase 2: 2-3 days | Phase 3: 1 week