cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Horn, Julian C" <julian.c.h...@intel.com>
Subject Plugin Install Hooks
Date Mon, 09 Feb 2015 16:28:26 GMT
We have identified a security issue with the recently added feature of install-time plugin
hooks.

As far as I can tell, there is nothing that prevents creation of a plugin with a malicious
install-time hook script.  Adding that plugin to a project could corrupt the user's host machine.
 If that project using that plugin is submitted to a build server, then the build server could
be corrupted.

Yes, you can use lower level plugman scripts to fetch plugins and then pre-scan them for install
time hooks and track down all the dependencies and scan them too.  So this is fixable (on
a build server), but it's a lot of extra work; "cordova plugin add" should not be an unsafe
operation.

I propose that the CLI should check to see if a plugin requires an install-time hook and require
the user to explicitly grant permission before executing the install hook.  A build server
would always deny permission.

Is there something I'm missing here?

    Julian
Mime
View raw message