Solved

FME Hub items and security


Userlevel 4
Badge +25

I'm wondering to what degree items uploaded to FME Hub are checked? Are they considered "safe to download" or "use at your own risk"?

 

Imagine a wild scenario where I would upload a custom transformer with a SystemCaller in it that formats the c drive, will that get flagged or not? (and what if I password-protect it?)

icon

Best answer by evieatsafe 29 March 2023, 22:48

View original

13 replies

Userlevel 4

That's an excellent question that I've also asked myself (and Mark Ireland some time ago). I suspect that unless it's been published by Safe Software, you're sort of on your own.

Look no further than this "transformer" that uses the SystemCaller to rickroll you. Harmless, sure, but it very clearly demonstrates the issue:

https://hub.safe.com/publishers/virtualcitymatt/transformers/3dclipper-notproductionready

Userlevel 4
Badge +25

That's an excellent question that I've also asked myself (and Mark Ireland some time ago). I suspect that unless it's been published by Safe Software, you're sort of on your own.

Look no further than this "transformer" that uses the SystemCaller to rickroll you. Harmless, sure, but it very clearly demonstrates the issue:

https://hub.safe.com/publishers/virtualcitymatt/transformers/3dclipper-notproductionready

I was going to point out that I always check who made it and that people who work for (or used to work for) Safe, or a partner, or are well-known members of the community, are probably okay to trust.

 

But apparently I need to remove @virtualcitymatt​ from that list 😂

Userlevel 4
Badge +26

Haha, yes this transformer was indeed my subtle attempt to make people a bit more aware they need to be careful

Badge +15

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

Userlevel 4
Badge +26

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

This is what I did too - all just SystemCallers

image

Userlevel 4
Badge +25

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

To me, having to download a workbench to help somebody here is already something that will make me think twice before replying. I'm much more likely to help out if there's screenshots attached.

 

With regards to transformer names, you're absolutely right! One of the reasons I'm very much against renaming transformers (ask anybody who has ever received training from me). Scrolling through the navigator could be a way the user checks the real transformer types.

 

I can also see a "Workspace checker workspace", a workspace that checks another one and reports on potentially harmful transformers, like the ones you mention.

Userlevel 4
Badge +26

I think an idea or an improvement to the Hub/Workbench would be to indeed show a warning that this workspace/transformer/format contains potentially harmful content.

Another option could be like with excel and macros, as in the user needs to first acknowledge and enable these potentially harmful tools. The code which was used to develop the Change Detection tool could be leveraged to explore/highlight these potentially harmful areas.

 

Userlevel 4

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

 

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

 

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

 

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

 

Lots of good points here. I'm also very much against renaming transformers, there's almost nothing worse than to open somebody else's complex workspace only to find weird acronyms and descriptions rather than the transformer name.

 

Regarding a workspace to audit 3rd party workspaces: I've already made such a thing for a client, it's not very difficult using the FMW reader. Although you do have to fiddle a bit to get to the startup and shutdown scripts, as the FMW reader does not currently support them.

Userlevel 2
Badge +10

Hey all, I'm happy to say we're currently looking at implementing a warning when users install content from the Hub, whether that be packages or custom transformers. We're planning to release this as part of FME Desktop 2023.0. I'll update everyone here when this has been added to a new version of FME and would be interested in your feedback once it has been released!

 

For your reference, the internal ticket number is FMEDESKTOP-13650.

Userlevel 4
Badge +26

Hey all, I'm happy to say we're currently looking at implementing a warning when users install content from the Hub, whether that be packages or custom transformers. We're planning to release this as part of FME Desktop 2023.0. I'll update everyone here when this has been added to a new version of FME and would be interested in your feedback once it has been released!

 

For your reference, the internal ticket number is FMEDESKTOP-13650.

Great news, yes I seem to remember something like this being mentioned at the UC

Userlevel 4
Badge +25

Haha, yes this transformer was indeed my subtle attempt to make people a bit more aware they need to be careful

Just curious: do you mind if we cover this custom transformer in a webinar? My original question was sparked by a question on our own forum and I think the following discussion we've had over here has some very good points.

Userlevel 4
Badge +26

Just curious: do you mind if we cover this custom transformer in a webinar? My original question was sparked by a question on our own forum and I think the following discussion we've had over here has some very good points.

Yes! please do!

Userlevel 1
Badge +15

We have implemented the warning when users connect to the Hub. (FMEDESKTOP-13650) This includes the following user actions:

  • Opening a workspace with Hub Community content that you do not have downloaded on your machine
  • Opening a .fpkg, .fmx, .fds, .fmwt from a file browser directly (which defaults to opening Workbench) 
  • Downloading a workspace from FME Server that has Hub Community content. 
  • Taking a download action from any place in Workbench while authoring (Workbench Quick Add, Transformer Gallery, Format Prompt, etc.)

This warning can be dismissed/skipped to not be shown again until a you upgrade FME Workbench to a major version, at which time it is re-asked.

 

Unfortunately, this means you have to wait for the 2023.0 release to take advantage of this new functionality. If you would like to disable the Hub from FME Workbench entirely to have complete control of what you are downloading, I would suggest blacklisting the FME Hub URLs in your network or firewall policy. Let us know if you have any other questions 🙂

Reply