zellyn
commented
6 months ago I mean, it's called "kooky" for a reason. You'd be crazy to use it! 😂
Open kkHAIKE opened 6 months ago
zellyn
commented
6 months ago I mean, it's called "kooky" for a reason. You'd be crazy to use it! 😂
adamdecaf
commented
6 months ago @kkHAIKE Do you have any specific concerns or questions about this codebase?
kkHAIKE
commented
6 months ago Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.
zellyn
commented
6 months ago I really like the idea of trying to keep the dependencies as minimal as possible, but I'm not knowledgeable enough about the various cookie and secret stores to remove any of the current dependencies easily. 😞
Some of them, like ordereddict, we should look into…
xob0t
commented
2 months ago Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.
there is other way to get cookies, at least for chrome rod
srlehn
commented
2 months ago rod asks a running chrome instance for the cookies afaik.
break down of the few dependencies:
# needed for decryption github.com/keybase/go-keychain github.com/zalando/go-keyring github.com/godbus/dbus/v5
# needed for pure go sqlite github.com/go-sqlite/sqlite3 github.com/gonuts/binary - only 300 lines, easy to proofread
# for firefox (querying profile location in profiles.ini config file) github.com/go-ini/ini
# for example program github.com/spf13/pflag
# for firefox host field in the sqlite db - see #69 github.com/bobesa/go-domain-util
# ESE parsing for old IE/Edge cookie stores # Velocidex does digital forensic www.velocidex.com/golang/go-ese github.com/Velocidex/ordereddict - pulls in the yaml + json packages # 10k lines (yaml+json+spew) balast that we could strip off with an internal fork of the ese package github.com/Velocidex/yaml/v2 github.com/Velocidex/json github.com/davecgh/go-spew - pulled in by the ese package
# official x packages golang.org/x/crypto golang.org/x/net golang.org/x/sys golang.org/x/text
srlehn
commented
2 months ago I noticed that some packages with very low stars have been included. I think this repository should prioritize security.
A low star count doesn't mean bad security. gonuts/binary, for example, was probably one of the few package options available when it was chosen as a dependency for the go-sqlite/sqlite3 package a few years ago, on which kooky itself depends. "binary" consists of only 300 lines of code in a single go file. The yaml, json, go-spew dependencies pulled in by our ESE parser dependency on the other hand is useless balast we really could strip off...
I noticed that some packages with very low stars have been included. I think this repository should prioritize security.