kooky icon indicating copy to clipboard operation
kooky copied to clipboard

Published 20 hours ago verified publisher icon browserutils

Is this package secure?

Open kkHAIKE opened this issue 1 year ago • 7 comments

I noticed that some packages with very low stars have been included. I think this repository should prioritize security.

kkHAIKE avatar Jan 22 '24 06:01 kkHAIKE

I mean, it's called "kooky" for a reason. You'd be crazy to use it! 😂

zellyn avatar Jan 22 '24 17:01 zellyn

@kkHAIKE Do you have any specific concerns or questions about this codebase?

adamdecaf avatar Jan 22 '24 22:01 adamdecaf

Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.

kkHAIKE avatar Jan 23 '24 03:01 kkHAIKE

I really like the idea of trying to keep the dependencies as minimal as possible, but I'm not knowledgeable enough about the various cookie and secret stores to remove any of the current dependencies easily. 😞 Some of them, like ordereddict, we should look into…

zellyn avatar Jan 23 '24 21:01 zellyn

Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.

there is other way to get cookies, at least for chrome rod

xob0t avatar May 03 '24 22:05 xob0t

rod asks a running chrome instance for the cookies afaik.

break down of the few dependencies:

# needed for decryption github.com/keybase/go-keychain github.com/zalando/go-keyring github.com/godbus/dbus/v5

# needed for pure go sqlite github.com/go-sqlite/sqlite3 github.com/gonuts/binary - only 300 lines, easy to proofread

# for firefox (querying profile location in profiles.ini config file) github.com/go-ini/ini

# for example program github.com/spf13/pflag

# for firefox host field in the sqlite db - see #69 github.com/bobesa/go-domain-util

# ESE parsing for old IE/Edge cookie stores # Velocidex does digital forensic www.velocidex.com/golang/go-ese github.com/Velocidex/ordereddict - pulls in the yaml + json packages # 10k lines (yaml+json+spew) balast that we could strip off with an internal fork of the ese package github.com/Velocidex/yaml/v2 github.com/Velocidex/json github.com/davecgh/go-spew - pulled in by the ese package

# official x packages golang.org/x/crypto golang.org/x/net golang.org/x/sys golang.org/x/text

srlehn avatar May 25 '24 18:05 srlehn

I noticed that some packages with very low stars have been included. I think this repository should prioritize security.

A low star count doesn't mean bad security. gonuts/binary, for example, was probably one of the few package options available when it was chosen as a dependency for the go-sqlite/sqlite3 package a few years ago, on which kooky itself depends. "binary" consists of only 300 lines of code in a single go file. The yaml, json, go-spew dependencies pulled in by our ESE parser dependency on the other hand is useless balast we really could strip off...

srlehn avatar May 26 '24 10:05 srlehn