Google Code-in

Terasology currently uses the Abstract Window Toolkit (AWT) to render 2D graphics, read image data, write screenshots in different file formats and handle copy&pasting. As such, the entire java.awt package is whitelisted by Terasology's sandboxing system so that it can be used by external modules. However, sneaky things could exist in there that could be a security risk for the module sandbox and most of it is most likely unused. A report on the package's security and usage will help us determine how to handle its' inclusion in the API whitelist.

Definition of 'Done'

• A short text report (as a blog or forum post) is submitted, containing the following:
  • A list of potentially unsafe classes in the java.awt package (anything that allows file or socket access and could potentially be used for), if any exist.
  • A list of java.awt classes used by the following popular modules: JoshariasSurvival, LightAndShadow, GooeysQuests, MedievalCities.

Where to start?

• Check out PR #2494 for some high-level discussion of AWT usage in the game.
• The easiest way to obtain a list of classes used by the modules is to simply remove java.awt from the external API whitelist. The game will most likely crash with a ClassNotFound error - re-add the mentioned class to the whitelist (to the CLASSES list instead of the PACKAGES list), rinse and repeat until the game works fine.