Closed pomdtr closed 2 years ago
dko-slapdash
commented
2 years ago Hi, good question!
In "Cloud Commands" model, the script which is pointed by an URL is not executed on your machine. The URL is just fetched (with GET or POST request depending on conditions), and then the result is displayed.
pomdtr
commented
2 years ago Oh you're right, I forgot about that !
What about the open action ? I fear that remote scripts could potentially redirect the user to a malicious website.
dko-slapdash
commented
2 years ago Well, any website we visit could potentially redirect the user to a malicious website... There is no difference here with the browser.
pomdtr
commented
2 years ago Thanks for the explanation.
Last question: In order to use the github stars endpoint (https://www.taraszubyk.com/api/slapdash/github-stars), I am supposed to provide my github access-token. However I'm not sure I trust the owner of this website with this information. If the code was hosted and reviewed by the slapdash team, I might use it.
dko-slapdash
commented
2 years ago This command is open-sourced, so if you don't trust the author, then you can run it on your own server (the simplest way is to use Vercel or Replit - https://platform.slapdash.com/command-bar-101/cloud-commands). Also, the token (and any other config data of the command) is stored encrypted on our end and is decrypted only in the very end. But you're right: if the author of some cloud command decided to steal the token you provided, they can theoretically do so (basically, any software which you feed with such a token, like a VSCode extension or a Chrome extension, can do such things too), and the only way to feel safe is to have the command script on your premises.
taras-slapdash
commented
2 years ago @pomdtr I hope your questions were answered. I'm going to close this issue but please re-open if you have follow-up questions. Cheers!
Hey, I just discoverd the slapdash extension api and I am really impressed by it.
I have an interrogation about the publishing model : it seems like you store an url to the contributed scripts in this central repository. What happens if a contributor decide to update his script to execute code on my machine ? Is there any safeguards against it ?