campadrenalin
Arbitrary code evaluation in ejtpd ($50)
ejtpd is kind of useless right now, being immature and difficult to debug. What I'm seriously considering is exposing an arbitrary code evaluation feature to authorized controller clients. This would allow much faster diagnostics, analysis, feature development, and a powerful administration fallback for when no other tools for the job exist. In fact, it could become the entirety of the protocol.
I am worried about security though, for obvious reasons. But the thing is, clients are authenticated administrators anyways. Every single specific concern I can come up with, I can easily shoot down with "if an attacker successfully masquerades as a controller, you're already totally fucked anyways." What I'm wondering is, can anyone else think of any security concerns that can't be dismissed this way? If not, I think this is the most useful and development-easing feature we can possibly implement to improve ejtpd.
I'm going to go ahead and give this a green light. At some point we may want to make a more fine-grained permission model, but the model is already "He who wields the controller credentials controls everything", and that's all anyone's going to need for quite some time.
Bounty is $50.
http://www.freedomsponsors.org/core/issue/215/arbitrary-code-evaluation-in-ejtpd
(Copied from acceptance criteria)
ejtpd Controller client can send strings for server-side evaluation. The server attempts to execute this with eval(), and sends back an error message if this fails (this may be as simple or advanced as you want for now, it will get further refined over this development cycle). If the eval succeeds, the result should be sent back to the Controller. If the result is JSON serializable, send that. If not, convert to string with repr(), and send the string.