This is a bit less "simple answer" than I would like however I am not really sure where else would be best to get a collection of vulnerabilities related to this sort of thing. I will happily delete the question if someone has a problem.
So with that out of the way here is my scenario, I have a client heavy web based app, which is knockout with local storage to a web service. Now part of the users experience has hooks where users can write plugins and make their own functionality on top of the existing one. Although this part is not 100% relevant it basically is an event system where events are exposed and other javascript files can be loaded at runtime and listen and action these events.
Currently a plugin consists of:
Now we want to streamline the process so we were going to create a site which is a subdomain of our existing app where users can upload their own plugins in one central place, and then access them in the web app.
So we made the decision that the user can upload a zip file containing these files and we will do some server processing to confirm it contains the relevant stuff and then basically expose it for users to access.
Now my question focuses around the security vulnerabilities I should be worrying about here.
I know the zip files could contain anything so best we can do from my current understanding is just make sure the zip file contains the files we expect in the pattern we expect, i.e plugin-descriptor.json, entry-point.js then hope for the best.
I can also make sure there are only file extensions matching our accepted files, i.e js, json, html, png, jpg, gif etc.
There can be file size constraints put in and header checking on files to prove they are of the type you expect but not sure how technically feasible this sort of thing is.
As an example of a system like this, Wordpress has a collection of plugins users can access and apply to their site, they (and others) seem to use an SVN server they maintain and manually verify plugins uploaded, which I am not sure if we have the man power to do (Hence why I want to see if there is any automated way to vet these things). Also much like other sites where users can upload pictures, there must be best practices around handling these sort of scenarios.
Other than that I am not sure what else to look out for, and this feature may not be played in the next sprint, we are just working out the technical issues around it and trying to see what the best way of being able to have a list of plugins for users to access without us having to do LOTS of work maintaining it.