1. Overview Purpose: Allow a host application (e.g., editor, IDE, media player, game engine) to open external files via a plugin system. The plugin registers a custom file open handler to intercept or extend the application’s native file opening behavior.
Define standard return codes:
bool is_safe_path(const char* requested, const char* allowed_root) char real_req[PATH_MAX], real_root[PATH_MAX]; if (!realpath(requested, real_req)) return false; if (!realpath(allowed_root, real_root)) return false; return strncmp(real_req, real_root, strlen(real_root)) == 0; plugin file open
def decrypt(self, data): # custom decryption logic return xor_cipher(data, key='secret') | Threat | Mitigation | |--------|-------------| | Path traversal (../../etc/passwd) | Sanitize and canonicalize paths; reject if outside allowed roots | | Plugin crash crashing host | Run plugin in separate process or sandbox (e.g., WASM, Lua sandbox) | | Malicious plugin reading arbitrary files | Enforce capability-based permissions: allow_paths=["/data/project/*"] | | Symlink attacks | Use realpath() and verify file ownership/permissions before open | | Recursive plugin calls | Set a recursion guard (max depth = 3) | const char* allowed_root) char real_req[PATH_MAX]