Description
So far we have made it harder to use 3rd party plugins until we figure out some more security guardrails. At the very least, we need users to opt into use the plugin explicitly - in case some malicious program modified a .env file to reference a malicious plugin.
Right now we do allow using 3rd party plugins only by referencing a file path, although we dont advertise it heavily in the docs, and is mostly geared towards local development or custom one-off validations.
But we do want to allow 3rd plugins to some degree now, so...
When running varlock via node_modules, we already require that plugins be installed via package.json - we can assume the user has blessed the 3rd party plugin if they have explicitly installed it, so we can allow it. The more dangerous path is for the standalone binary where we automatically download plugins. If we add an additional user confirmation step before downloading the plugin (for non @varlock namespaced plugins), this should be enough. Future improvements can be around integrity checks against npm - and potentially using https://vlt.sh for those downloads.
Also, as part of this work, we should add docs around plugin authoring (see https://github.com/dmno-dev/varlock/blob/main/packages/varlock/src/plugin-lib.ts for what plugins are expected to import and use)
Motivation
No response
Proposed Solution
No response
Alternatives
No response
Additional Information
No response
Description
So far we have made it harder to use 3rd party plugins until we figure out some more security guardrails. At the very least, we need users to opt into use the plugin explicitly - in case some malicious program modified a .env file to reference a malicious plugin.
Right now we do allow using 3rd party plugins only by referencing a file path, although we dont advertise it heavily in the docs, and is mostly geared towards local development or custom one-off validations.
But we do want to allow 3rd plugins to some degree now, so...
When running varlock via node_modules, we already require that plugins be installed via package.json - we can assume the user has blessed the 3rd party plugin if they have explicitly installed it, so we can allow it. The more dangerous path is for the standalone binary where we automatically download plugins. If we add an additional user confirmation step before downloading the plugin (for non
@varlocknamespaced plugins), this should be enough. Future improvements can be around integrity checks against npm - and potentially using https://vlt.sh for those downloads.Also, as part of this work, we should add docs around plugin authoring (see https://github.com/dmno-dev/varlock/blob/main/packages/varlock/src/plugin-lib.ts for what plugins are expected to import and use)
Motivation
No response
Proposed Solution
No response
Alternatives
No response
Additional Information
No response