-
-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious extension prevention #111
Comments
Ideas include: use a specific version/commit in the url. Save the commit ID in localstorage, and check the latest commit on load (in extension.js), and update that in localstorage as well. So we have a "version" and "latest version" or "update available" flag. That way we can show an update button. |
Maybe it would be safer to use the hash of the js file than the commit ID? |
Then we would need to redownload and calculate the hash of anything installed every time it checks. Is there a reason why commit ID wouldn't be safe? |
Pretty sure that you can't forge a commit id, and it is definitely easier to implement vs calculating hashes imo. |
Maybe we add a "this version has been manually reviewed by personA" to make sure the user knows the version has indeed been confirmed correct. If the review hasn't been performed, at that point we could inform the user that they're about to try software that has yet to be reviewed. |
@fivepixels While I agree this would be cool, I feel like needing a GitHub file for each extension and theme as well as needing to review things kind of defeats the purpose of having the marketplace being so accessible to repo owners to add their stuff. Regardless, I'll keep this idea in mind but this would probably need to be implemented after we implement padsters idea. We could create an issue format for extension/theme owners to request a review with requirements for a description for how to navigate the code and a brief description of the functions and such, to make the reviewing process a bit easier. (Or if they have commented their code properly that works too, but I know for a fact that my extensions code tend to be super messy and personally I would not want to go near reviewing them..) |
@CharlieS1103 I understand your point, but you don't need to evaluate anyone's code, you just need to check for malicious code, which is a far easier and simpler task in my view. |
@CharlieS1103 @theRealPadster I've been thinking over this for a while and I think it is time that we move towards a centralised manifest point of view. That is, having a manifest in spicetify-extensions (a new repo to host a readme to all the extensions + extensions manifest) and spicetify-themes (that holds a readme with images to all themes + themes manifest). This way we have more granular control of what we display to end-users.
Additionally, we wouldn't have problems related to this. spicetify/spicetify-themes#759 I really think that this is the way forward and I can help with the migration of these informing all creators and creating a base manifest holding all extensions & themes. Let me know what you think. |
For things such as the spicetify themes repo and such, the concept of having one repo for every theme/extension is more or less just impossible without losing a lot of extensions to laziness. Therefore, it would probably be best if we continue multi-extension/theme manifest support. |
Do you really think that people would not submit a PR out of laziness after dedicating a lot of work to creating said extension in the first place? I firmly disagree with this, especially because they already do it, except that it is within their repo. They add the manifest and the topic. If you weigh in the benefits vs disadvantages I think that a centralised manifest is better than centralised repos full of themes. Look at the Glaze theme for example, where the spicetify-themes version is severely out of date 👀 |
I agree and would like to get things converted to a single manifest at some point. Things are just way to up in the air right now with the jsx rewrite and the search feature that will need to be merged over as well. |
I'm going to assign myself and try to tackle it then (or at least try to give it an initial push)! |
@afonsojramos Didn't mean they wouldn't submit a PR, i meant that making them keep their extensions/themes in separate repos would probably be annoying for larger repos(spicetify-themes, my extension repo, and many others) So we probably shouldn't remove support for storing multiple extensions / themes in one repo. |
Rationale
Even thought there is already a deny list that tries to prevent malicious extensions from running on the user's machines, after an extension is installed third parties can just update the extension at any given time with malicious code without oversight.
This brings tremendous risk as it has been proven in the industry that it can happen.
Proposed solution
Obviously we cannot guarantee full on security without manual checks, which is completely out of question. Therefore I recommend that we provide an option to disable automatic updates/a manual update section. This way users could always validate the extensions they are adding before doing so.
The text was updated successfully, but these errors were encountered: