search

belaviyo / send-to-vlc

A Webextension to send streamble media sources to VLC (VideoLAN) media player
http://add0n.com/send-to-vlc.html
Mozilla Public License 2.0
131 stars 38 forks source link

Native client security and speed concerns #25

Open Self-Perfection opened 5 years ago

Self-Perfection commented 5 years ago

Security

While installing native client I wanted to check what my computer is going to run. At first it seemed easy task - just review three short js scripts, but it tuned out that this native client basically runs any script received from addon. Wow. So now I have to review whole extension code as well to feel safe.

Basically any eval in code is a security breach. Even if current version of addon is safe, future updates might become malicious. @belaviyo, what if someone will get access to your account and push addon update which runs malicious code? Running code from addon in vm practically defies the purpose of WebExtensions restrictions.

For now I just disabled updates of Send to VLC addon but still.

Speed

On laptop on which I use this addon, one native client run takes 1.0 s of CPU. That is 1s of delay before player starts and is twice as much of CPU time required by VLC to start. I admit this laptop is rather slow, but that's the whole point of using Send to VLC addon! Youtube in browser just hiccups and show still image in video and VLC show the same video perfectly. nodejs gives huge overhead.

As I see it the proper way to run VLC from browser should use script with lightweight interpreter. Python seems a good enough choice, it is 10-20 times faster to start then nodejs and it is already installed much more often then nodejs, at least python should be present on all mac and linux systems. And it should implement really simple protocol, which just gets list of URLs (native client itself should check, that all received strings looks like links).

I am willing to help with native client script, if you find this concerns serious.

belaviyo commented 5 years ago

The whole idea of writing the native client in NodeJS is to have a code that the user can simply review. Python is another option, but to me having both client and native part in a single language is more readable. If speed is your concern, you can write the native client in C++ with just a few lines of code, but then you will need to compile it and it would be really hard for a reviewer to make sure the code is safe.

future updates might become malicious.

This concern stands for all add-ons. Fortunately, at least in Mozilla, add-ons get reviewed. Anyhow, I am open to the ideas that help protecting user's security.

For now, this extension does this by:

  1. Using the official NodeJS executable
  2. All coding part is in the extension side
  3. Native part only allows access to the modules that the client already requested permission for.