awesome-privacy icon indicating copy to clipboard operation
awesome-privacy copied to clipboard
verified publisher icon Lissy93

[ADDITION] Notesnook

Open thecodrr opened this issue 3 years ago • 5 comments

Category

Productivity > Digital Notes

Software to be added

Notesnook is a (soon to be open source) end to end encrypted note taking alternative to Evernote & OneNote. I think it will be a good fit for the list of privacy focused software you are making.

Supporting Material

Website: https://notesnook.com GitHub: https://github.com/streetwriters/notesnook/

Association Disclosure

I am the co-founder

Would you like to submit a PR?

Yes!

Please tick the boxes

  • [X] You have filled out this form accurately, and to the best of your knowledge
  • [X] You have indicated weather or not you are associated with the suggested addition
  • [X] A similar submission has not already been opened for this software/ service
  • [X] You agree to the code of conduct

thecodrr avatar Jul 28 '22 22:07 thecodrr

Heya @thecodrr

Notesnook looks pretty cool, nice work :)

But lets wait until it's open source before considering it

And I guess that once the repo is updated, it will also be possible for users to self-host it if they wish?

Btw, I really like vericrypt.notesnook.com, solves a very important problem.

Not sure if you were aware, but on the homepage, the link to the privacy policy (https://notesnook.com/privacy) returns a 404.

Lissy93 avatar Jul 29 '22 15:07 Lissy93

I was having a quick look through the code that's in the repo, and although not sure where the different components fit in, there was a couple of things you might want to double check

  • I know umami is much better than GA, but is it the stuff in src/utils/analytics.ts off by default?
  • On the same topic, maybe also verifying the integrity of imported scripts from external sources would add a layer of protection
  • Some of the regexs used in Vericrypt, in src/utils/curlparser.ts are susceptible to backtracking, see more: ReDoS
  • Though just the test environment, but having user-supplied values included in shell commands that are executed directly, may not be a great idea, in packages/tinymce-plugins/scripts/testHarness.js
  • Minor one, but even though it's a trusted URL, if you're going to use JS instead of an anchor, them probably best to also specify noopener, in src/components/ErrorsList.tsx
  • Not related to security, but in vericrypt/src/App.tsx you're re-defining key which was declared above as state. Could lead to unexpected results, maybe some linting could help?

Lissy93 avatar Jul 29 '22 16:07 Lissy93

And I guess that once the repo is updated, it will also be possible for users to self-host it if they wish?

Yes, that'll be possible eventually. Initially the client apps & the shared core will be open sourced. Afterwards, once we have properly tested the self hosting approach, we will open source the sync server.

I know umami is much better than GA, but is it the stuff in src/utils/analytics.ts off by default?

Analytics can be easily toggled on/off on the Importer (where they are used right now) like so: image

Hovering on the toggle shows a tooltip which tells what is being collected & how.

On the same topic, maybe also verifying the integrity of imported scripts from external sources would add a layer of protection

All scripts are self-hosted so this is not necessary. They are all 1st party scripts.

Some of the regexs used in Vericrypt, in src/utils/curlparser.ts are susceptible to backtracking, see more: ReDoS

Thank you for the heads up. This curlparser approach was obsolete anyway. I went ahead & upgraded Vericrypt for the new Sync API being used in Notesnook (which uses WebSockets & Message Pack underneath). So this has been removed.

Though just the test environment, but having user-supplied values included in shell commands that are executed directly, may not be a great idea, in packages/tinymce-plugins/scripts/testHarness.js

The tinymce-plugins package is no longer being used or developed (I haven't updated the status yet). We migrated to Tiptap this month so these files will be archived/removed as well.

Minor one, but even though it's a trusted URL, if you're going to use JS instead of an anchor, them probably best to also specify noopener, in src/components/ErrorsList.tsx

Done.

Thank you for taking the time to review this. I am really excited about open sourcing Notesnook; it'll definitely open new opportunities for growth.

thecodrr avatar Jul 30 '22 03:07 thecodrr

@Lissy93 Notesnook is now fully open source! You can check the code here: https://github.com/streetwriters/notesnook

thecodrr avatar Sep 01 '22 17:09 thecodrr

@Lissy93 We have also open sourced the Notesnook Sync Server: https://github.com/streetwriters/notesnook-sync-server

thecodrr avatar Jan 08 '23 08:01 thecodrr