molsonkiko / JsonToolsNppPlugin

A Notepad++ plugin providing tools for JSON like linting, querying, a tree view, and CSV conversion.
Apache License 2.0
93 stars 10 forks source link

Security Review #62

Closed NBsecurity closed 6 months ago

NBsecurity commented 7 months ago

Doing a security review on the JSON Tools plug-in. Is there any documentation about privacy? Does it process everything locally on the machine? No data is sent outside the machine (by default)?

molsonkiko commented 7 months ago

All config data for JsonTools is stored locally, and the only things in JsonTools that communicate with remote resources are the links to documentation (which go to this GitHub repo) and the JSON from files and APIs form, the source code for which is here and here. As such, there is no documentation about privacy.

There is some "unsafe" code in JsonTools in PluginInfrastructure because JsonTools has to communicate with Notepad++ using structs, which introduce the potential for memory leaks. The plugin infrastructure appears reasonably sound to me, and in any case it seems like the worst-case scenario for a bug in the plugin infrastructure is that Notepad++ crashes.

I am not a security expert, and I'm not that comfortable working with super low-level code, as evidenced by my decision to write this plugin in C# instead of C++. I try to be very conscientious, but bugs still slip through the cracks. If you don't trust me, that's fine, and you're welcome to try alternative tools for working with JSON.

molsonkiko commented 6 months ago

If you notice any problematic code that you think you could improve, feel free to open a pull request. Since this issue doesn't point to a specific problem in the code and you haven't responded yet, I'm going to close this issue.

NBsecurity commented 6 months ago

I appreciate the quick response, feedback, and detail. I'm more from the support world of software, systems, and infrastructure. Coding is not my specialty.

On Fri, Apr 19, 2024 at 6:29 PM molsonkiko @.***> wrote:

All config data for JsonTools is stored locally, and the only things in JsonTools that communicate with remote resources are the links to documentation (which go to this GitHub repo) and the JSON from files and APIs form https://github.com/molsonkiko/JsonToolsNppPlugin/blob/main/docs/README.md#get-json-from-files-and-apis, the source code for which is here https://github.com/molsonkiko/JsonToolsNppPlugin/blob/main/JsonToolsNppPlugin/Forms/GrepperForm.cs and here https://github.com/molsonkiko/JsonToolsNppPlugin/blob/main/JsonToolsNppPlugin/JSONTools/JsonGrepper.cs. As such, there is no documentation about privacy.

There is some "unsafe" code in JsonTools in PluginInfrastructure https://github.com/molsonkiko/JsonToolsNppPlugin/tree/main/JsonToolsNppPlugin/PluginInfrastructure because JsonTools has to communicate with Notepad++ using structs, which introduce the potential for memory leaks. The plugin infrastructure appears reasonably sound to me, and in any case it seems like the worst-case scenario for a bug in the plugin infrastructure is that Notepad++ crashes.

I am not a security expert, and I'm not that comfortable working with super low-level code, as evidenced by my decision to write this plugin in C# instead of C++. I try to be very conscientious, but bugs still slip through the cracks. If you don't trust me, that's fine, and you're welcome to try alternative tools for working with JSON.

— Reply to this email directly, view it on GitHub https://github.com/molsonkiko/JsonToolsNppPlugin/issues/62#issuecomment-2067390965, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH3FQIQ6BASIZSGHBODODPTY6GSF7AVCNFSM6AAAAABGP4AWSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRXGM4TAOJWGU . You are receiving this because you authored the thread.Message ID: @.***>