Are there any security limitations imposed on plugins now or planned?


#1

With browser plugins there has long been different security limitations imposed.

In the case of Firefox plugins has been reviewed prior to publication and in the case of Chrome the plugin is given granular access on the time of installation.

With Atom it seems that neither of this is true. A plugin is not given any review prior to publication and it’s not given any granular access?

So whenever an update to a plugin is published, it will instantly be available to all and instantly have access to whatever new feature it desires?

As Atom plugins as far as I understand can have access to both file system, HTTP requests and also execute local commands it seems like what is a very harmless plugin could, if the author is compromised, become a plugin that does quite a bit of harm.

In the lights of some larger plugins having added some unwanted visible features and the time it took for the community to react to that it makes me wonder what would happen if someone with a more malicious intent became able to do the same.

Spontaneously it feels like Atom would benefit from adopting either the Firefox model of crowdsourced module reviewing, with modules opting in to have their releases getting flagged as verified, or the Chrome model of limiting the access a module has by default and requiring it to ask for additional access to be given that access.

This also sounds like something that has been discussed since the very beginning of Atom: https://blog.liftsecurity.io/2014/03/02/of-atom.io-and-security/

But I can’t find any more substantial thoughts or discussions on this topic. (Maybe apart from issue #1013 and #1763, the latter which was closed as stale)


#2

A case of a live malicious npm module currently stealing environment variables came up on Twitter today: https://twitter.com/nzgb/status/892388610896429056

Are there any safeguards in Atom that would limit the impact of such a malicious module or is the only protection one can have to try and lock down any such uploading of data with something like Little Snitch?


#3

It would be great to see at least required permissions for each plugin… just like for Android apps.
E.g. when plugin for code decorating requires access to the Internet - that looks suspicious.