Skip to main content
Solved

FME Hub items and security


redgeographics
Celebrity
Forum|alt.badge.img+49

I'm wondering to what degree items uploaded to FME Hub are checked? Are they considered "safe to download" or "use at your own risk"?

 

Imagine a wild scenario where I would upload a custom transformer with a SystemCaller in it that formats the c drive, will that get flagged or not? (and what if I password-protect it?)

Best answer by evieatsafe

We have implemented the warning when users connect to the Hub. (FMEDESKTOP-13650) This includes the following user actions:

  • Opening a workspace with Hub Community content that you do not have downloaded on your machine
  • Opening a .fpkg, .fmx, .fds, .fmwt from a file browser directly (which defaults to opening Workbench) 
  • Downloading a workspace from FME Server that has Hub Community content. 
  • Taking a download action from any place in Workbench while authoring (Workbench Quick Add, Transformer Gallery, Format Prompt, etc.)

This warning can be dismissed/skipped to not be shown again until a you upgrade FME Workbench to a major version, at which time it is re-asked.

 

Unfortunately, this means you have to wait for the 2023.0 release to take advantage of this new functionality. If you would like to disable the Hub from FME Workbench entirely to have complete control of what you are downloading, I would suggest blacklisting the FME Hub URLs in your network or firewall policy. Let us know if you have any other questions 🙂

View original
Did this help you find an answer to your question?

13 replies

david_r
Celebrity
  • February 23, 2023

That's an excellent question that I've also asked myself (and Mark Ireland some time ago). I suspect that unless it's been published by Safe Software, you're sort of on your own.

Look no further than this "transformer" that uses the SystemCaller to rickroll you. Harmless, sure, but it very clearly demonstrates the issue:

https://hub.safe.com/publishers/virtualcitymatt/transformers/3dclipper-notproductionready


redgeographics
Celebrity
Forum|alt.badge.img+49
  • Author
  • Celebrity
  • February 23, 2023
david_r wrote:

That's an excellent question that I've also asked myself (and Mark Ireland some time ago). I suspect that unless it's been published by Safe Software, you're sort of on your own.

Look no further than this "transformer" that uses the SystemCaller to rickroll you. Harmless, sure, but it very clearly demonstrates the issue:

https://hub.safe.com/publishers/virtualcitymatt/transformers/3dclipper-notproductionready

I was going to point out that I always check who made it and that people who work for (or used to work for) Safe, or a partner, or are well-known members of the community, are probably okay to trust.

 

But apparently I need to remove @virtualcitymatt​ from that list 😂


virtualcitymatt
Celebrity
Forum|alt.badge.img+35

Haha, yes this transformer was indeed my subtle attempt to make people a bit more aware they need to be careful


jkr_wrk
Influencer
Forum|alt.badge.img+29
  • March 14, 2023

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 


virtualcitymatt
Celebrity
Forum|alt.badge.img+35
jkr_da wrote:

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

This is what I did too - all just SystemCallers

image


redgeographics
Celebrity
Forum|alt.badge.img+49
jkr_da wrote:

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

To me, having to download a workbench to help somebody here is already something that will make me think twice before replying. I'm much more likely to help out if there's screenshots attached.

 

With regards to transformer names, you're absolutely right! One of the reasons I'm very much against renaming transformers (ask anybody who has ever received training from me). Scrolling through the navigator could be a way the user checks the real transformer types.

 

I can also see a "Workspace checker workspace", a workspace that checks another one and reports on potentially harmful transformers, like the ones you mention.


virtualcitymatt
Celebrity
Forum|alt.badge.img+35

I think an idea or an improvement to the Hub/Workbench would be to indeed show a warning that this workspace/transformer/format contains potentially harmful content.

Another option could be like with excel and macros, as in the user needs to first acknowledge and enable these potentially harmful tools. The code which was used to develop the Change Detection tool could be leveraged to explore/highlight these potentially harmful areas.

 


david_r
Celebrity
  • March 14, 2023
jkr_da wrote:

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

Lots of good points here. I'm also very much against renaming transformers, there's almost nothing worse than to open somebody else's complex workspace only to find weird acronyms and descriptions rather than the transformer name.

 

Regarding a workspace to audit 3rd party workspaces: I've already made such a thing for a client, it's not very difficult using the FMW reader. Although you do have to fiddle a bit to get to the startup and shutdown scripts, as the FMW reader does not currently support them.


danminneyatsaf
Safer
Forum|alt.badge.img+12

Hey all, I'm happy to say we're currently looking at implementing a warning when users install content from the Hub, whether that be packages or custom transformers. We're planning to release this as part of FME Desktop 2023.0. I'll update everyone here when this has been added to a new version of FME and would be interested in your feedback once it has been released!

 

For your reference, the internal ticket number is FMEDESKTOP-13650.


virtualcitymatt
Celebrity
Forum|alt.badge.img+35
danminneyatsaf wrote:

Hey all, I'm happy to say we're currently looking at implementing a warning when users install content from the Hub, whether that be packages or custom transformers. We're planning to release this as part of FME Desktop 2023.0. I'll update everyone here when this has been added to a new version of FME and would be interested in your feedback once it has been released!

 

For your reference, the internal ticket number is FMEDESKTOP-13650.

Great news, yes I seem to remember something like this being mentioned at the UC


redgeographics
Celebrity
Forum|alt.badge.img+49
virtualcitymatt wrote:

Haha, yes this transformer was indeed my subtle attempt to make people a bit more aware they need to be careful

Just curious: do you mind if we cover this custom transformer in a webinar? My original question was sparked by a question on our own forum and I think the following discussion we've had over here has some very good points.


virtualcitymatt
Celebrity
Forum|alt.badge.img+35
redgeographics wrote:

Just curious: do you mind if we cover this custom transformer in a webinar? My original question was sparked by a question on our own forum and I think the following discussion we've had over here has some very good points.

Yes! please do!


evieatsafe
Safer
  • Safer
  • Best Answer
  • March 29, 2023

We have implemented the warning when users connect to the Hub. (FMEDESKTOP-13650) This includes the following user actions:

  • Opening a workspace with Hub Community content that you do not have downloaded on your machine
  • Opening a .fpkg, .fmx, .fds, .fmwt from a file browser directly (which defaults to opening Workbench) 
  • Downloading a workspace from FME Server that has Hub Community content. 
  • Taking a download action from any place in Workbench while authoring (Workbench Quick Add, Transformer Gallery, Format Prompt, etc.)

This warning can be dismissed/skipped to not be shown again until a you upgrade FME Workbench to a major version, at which time it is re-asked.

 

Unfortunately, this means you have to wait for the 2023.0 release to take advantage of this new functionality. If you would like to disable the Hub from FME Workbench entirely to have complete control of what you are downloading, I would suggest blacklisting the FME Hub URLs in your network or firewall policy. Let us know if you have any other questions 🙂


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings