We have identified a security issue with the recently added feature of
install-time plugin hooks.
As far as I can tell, there is nothing that prevents creation of a plugin with
a malicious install-time hook script. Adding that plugin to a project could
corrupt the user's host machine. If that project using that plugin is
submitted to a build server, then the build server could be corrupted.
Yes, you can use lower level plugman scripts to fetch plugins and then pre-scan
them for install time hooks and track down all the dependencies and scan them
too. So this is fixable (on a build server), but it's a lot of extra work;
"cordova plugin add" should not be an unsafe operation.
I propose that the CLI should check to see if a plugin requires an install-time
hook and require the user to explicitly grant permission before executing the
install hook. A build server would always deny permission.
Is there something I'm missing here?
Julian
