Security Concerns Regarding Third-Party Plugin Downloads

[jewdev]

Dear Flow Launcher Team,

I have a question regarding the security of Flow Launcher when handling third-party plugins. Since the program allows plugins to be downloaded directly from third-party repositories on platforms like GitHub by fetching the release zip file, I’m curious about the measures to prevent potential security risks.

For example, what prevents someone with access to the third-party repository from tampering with the zip file in the releases section, such as replacing it with malicious code? Given that these repositories are not under Flow Launcher’s control, how does the program ensure that the downloaded plugin is secure and hasn’t been altered to contain harmful code?

Are there safeguards like checksum validation, signature verification, or any other mechanism implemented to verify the integrity and authenticity of the downloaded plugins?

This is an important topic to address for the safety of the user community and would appreciate any clarification you can provide.

Thank you for your time and the excellent work you do with Flow Launcher.

Best regards,
jd.

[Garulf]

At this moment all plugins added to the store are tested and looked at upon submission. A public workflow that builds and packages is generally required (but some older plugins may not have this fully).

The "plugin store" is more of a collection of plugins to help users discover, and at the moment does not provide any guarantees.

This is something i feel the entire @Flow-Launcher/team should weigh in on.

[taooceros]

On the other hand, we don't have enough resource to manage all the release update (it is not feasible for us to track all the update. It is even not feasible for us to review all the source code at plugins initial submission). This means that we already give some trust to the developer that they wouldn't publish malicious code when updating. Thus, using checksum to prevent developer from updating their release binary wouldn't work given the current scenario.

I am not sure whether there are good api for testing malicious code? Since the python plugins (or js plugins) are released in source code, I don't know whether there are any security guard that can possibly detect whether their code is wrong. If you have any other idea, please feel free to raise here.

Thus, as @Garulf mentioned, the plugin store are more of a plugins collection rather than a verified store, which means users have to use plugin with their own risk. On the other hand, if someone detect malicious code within plugins, we are very willing to remove them from the store or even banning them from submitting plugins.

Thanks!

[jjw24]

Thank you for raising these valid concerns.

Plugins are reviewed during submission to ensure no malicious actions in the code, and GitHub workflow is mandated for publishing the release zip to ensure authenticity. This of course only guarantees at the point of plugin submission.

Our plugin list has grown a lot recently, and I agree we need improved measures to provide better assurance to the user community for the usage of these plugins.

We do lack the process to validate post-submission plugins, so I would recommend:

1. Checksum validation in flow that verifies the zip downloaded is the same as the one listed in the plugin manifest file.
2. A new GitHub workflow in PluginsManifest repo to validate checksum periodically to ensure released zip file is not subsequently changed, and help us discover quickly if it is.
3. A new GitHub workflow in PluginsManifest repo that submits to VirusTotal (or similar service) on plugin submission and version update to scan for malicious code.
4. A new GitHub workflow in PluginsManifest repo to detect binary files embedded in the project source code.

Edit:
5. A reminder message in flow about taking caution.

Additional suggestions are always welcome. Let's try and get this sorted for start of 2025.

Help with PRs to https://github.com/Flow-Launcher/Flow.Launcher.PluginsManifest.

Keep the conversation going, what else we haven't thought of/covered?

[Garulf]

It should be noted that no solution is 100%, I feel a simple dialog on first visit of the plugin page should pop up a dialog with a simple message about taking caution.

[jjw24]

Yes that's right. We need to implement this reminder.

We also need the community to help us as well, if a plugin is not doing the right thing, let us know.

[VictoriousRaptor]

On first install maybe better, because we have pm install.

[jjw24]

One extra slide in the welcome wizard screen? Seems like the place to put it.

[deefrawley]

It needs to go in this dialog box. It should show every time a user installs a plugin.

[jewdev]

Informing users to exercise caution is definitely a great first step. However, I agree with @deefrawley that there should also be a popup whenever a user downloads a plugin. While it might be a bit inconvenient, it’s important to ensure users are fully aware of potential risks.