feat: localize plugin provider to mitigate supply chain attacks #70
Conversation
|
I'd like to get an open examples PR open so that we can merge it at the same time as this, to minimize time where we're hosting an incompatible set of tools. |
|
How does this reduce the risk? |
|
@kumavis Per #53, the concern was that injecting a By passing the sensitive/permissioned API as an argument, the plugin has a controlled scope around the variable, and so other dependencies would not have access to it. Maybe we should have verified the attack first: In your opinion, is a SES container already adequately scoped? |
|
We're now running the experiment: Can entry index.js require a second module attacker.js that can then access wallet globally? |
|
Closing for now since some questions were raised about the efficacy of this approach. |
This pull request localizes plugin provider instances within plugins to mitigate the possibility of dependency supply chain attacks. This is done by exposing a new top-level
registerPluginAPI; this seemed like less of a hack than relying on internal (possibly changing) semantics of immutability within SES.Note: Once this lands, the following updates should be made:
Resolves #53