Introduce a way to make sure that H5P libraries are "official"

Submitted by otacke on Thu, 01/13/2022 - 12:29
otacke's picture
Forums: 
Feature requests

I would like to discuss a feature that might improve the security of H5P and also the integrity of H5P platforms. And it might make sharing of content easier.

Currently, some people patch H5P libraries in order to tweak them to their needs. That's fine on their platform. However, those patched libraries also end up in exported files. In turn, they can end up on other platforms if people with sufficient permissions upload the exported files and the origin library that was patched is not yet available on the target platform or in an earlier version. That's probably not something that people expect.

Similarly, deliberately manipulated H5P libraries could potentially find their way onto H5P platforms.

Therefore, I suggest to at least compute some hash value for every official H5P library (over all files) and make it available publicly. The H5P editor core should check official H5P libraries against that checksum when they are supposed to be installed and ignore those libraries if the checksum doesn't match. Alternatively, it could issue a warning and require explicit confirmation. Or it behaves the same as today - depending on the user role or on some configuration. A similar approach could be chosen for any H5P library (version) that doesn't exist on the official H5P library server. I feel it's not thaaaat uncommon anymore that people install H5P libraries that are not available on the H5P Hub yet, but maybe some people might want to know that they are about to install a library that's not on the H5P Hub and want to confirm this at least. Could also depend on a setting or user role, of course.

One could make this more complex (with signatures), but as long as the H5P Hub is the "only true source" of libraries, the checksum approach should suffice.

Another positive aspect: If admins need to worry less about others installing H5P libraries, it's more likely they grant this capability to more people thus reducing the likelihood that someone wants to upload content but can't because a library from the file being uploaded is not yet installed on the platform.

What do you, the H5P community, think about this?

8
0
Supporter votes Members of the Supporter Network can vote for feature requests. When the supporter network has generated sufficient funding for the top voted feature request it will normally be implemented and released. More about the H5P Supporter Network
serettig's picture

serettig

Fri, 01/14/2022 - 07:12

I wholeheartedly agree to the proposal. We at Lumi have thought about this issue and the same solution in the past and we absolutely see the need for it. Our app is particularly prone to these problems as it heavily relies on users loading content and installing libraries freely. We've thought about both approaches (checksums and signing) and signing seems like an overkill at the moment, even if it is the technically better approach.

If there is an official specification the NodeJS port will pick it up right away. What I see as very important is that the specification is very clear in how the checksum must be calculated in a deterministic (and deliberately specified!) way and that it is not just a byproduct of a function of the PHP core that happens to look at files in a particular order because "that's how PHP orders file lists", for example.

Best
Sebastian

otacke's picture

otacke

Fri, 01/14/2022 - 19:23

My thinking exactly.

papi Jo's picture

papi Jo

Sat, 01/15/2022 - 12:17

The H5P editor core should check official H5P libraries against that checksum when they are supposed to be installed and

  • ignore those libraries if the checksum doesn't match. DISAGREE
  • Alternatively, it could issue a warning and require explicit confirmation. AGREE
  • Or it behaves the same as today - depending on the user role or on some configuration. AGREE
otacke's picture

otacke

Sun, 01/16/2022 - 14:30

Hi Papi Jo!

Thanks for confirming the usefulness if such an option. I just wonder what the use case for not blocking to install could be in your opinion? The existing development mode behavior would override the blocking, of course.

Best,

Oliver 

papi Jo's picture

papi Jo

Mon, 01/17/2022 - 16:50

I'm afraid I had not correctly understood your proposal. I expect you are talking about H5P libraries having the same name as the "official" ones, but which have been modified by users. I wrongly thought you were talking about new libraries created with different names.

So I agree with your proposal, of course.

otacke's picture

otacke

Mon, 01/17/2022 - 18:19

Aah, I see. Well, yes and no, I guess. Those content types with a machine name that's not listed on the Hub and thus don't have a retrievable checksum should in fact be treated with care just like some patched content type with a listed machine name. Admins could install those if they wanted to, but I don't see why admins should not be able to decide to completely block those by default for others and only to allow them using content types from the Hub freely.

otacke's picture

otacke

Thu, 09/01/2022 - 10:57

Just adding some real world example why this would be useful: https://h5p.org/node/1295120

otacke's picture

otacke

Thu, 04/25/2024 - 14:19

Yet another example why this is important: https://h5p.org/node/1483905

farrisimin

Fri, 05/03/2024 - 02:45

I totally agree with you, Oliver! May I also suggest the ability to be able to bring in smaller h5p content types.. For example, the available ones within the working environment.. let's say that someone has a smaller library like the filefordownload library, the hub should allow for it to be used on modifying or hacking the code to so.. I guess more like a drag and drop feature of the webforms but with h5p libraries.. I believe this could be the new hub 3.0  ♥♥♥ or maybe this idea is far-fetched..

otacke's picture

otacke

Fri, 05/03/2024 - 17:56

I didn't suggest any limitation for content types, see https://h5p.org/comment/44564#comment-44564 for instance.

otacke's picture

otacke

Mon, 08/19/2024 - 21:24

I have just been called to help, and I have seen a system that severly suffered from patched libraries (with utopian major versions to ensure they get installed) that were not supposed to be installed.

It's not trivial to fix those things if you don't know all kinds of things about H5P, so I really think H5P Group should tackle this issue rather sooner than later! It's not a "nice to have" if you encourage people to play with H5P and also provide the tools but no documentation/warning whatsoever.