I think Mario may have covered this, but the most obvious vulnerability with the GitHub Saver is that of installing a malicious plugin that reads the username and PAT from local storage and exfiltrates it to an external server.
The mitigation for such an attack is that sensitive data in local storage is intentionally not exposed to wikitext, so the attacker would need to install a JavaScript module/plugin, which is somewhat harder to do than a wikitext tiddler. I think the ideal solution would be to use OAUTH but that is not available for wikis loaded from a file URI. Best wishes Jeremy -- Jeremy Ruston [email protected] https://jermolene.com > On 22 Apr 2021, at 12:57, PMario <[email protected]> wrote: > > >> On Thursday, April 22, 2021 at 1:46:16 PM UTC+2 [email protected] wrote: >> Why not? If you can add tiddler text to a txt file, any HTML code will not >> run. It is then much easier to call this plaintext back safely. Why is this >> just as insecure as a single file solution, then? > > > That's part of the "more complex" system I was referring to. If you want to > have a different level of access, you'll need to create a real TW-syncer, > where you can do whatever you want. ... > > But this system is still vulnerable to eg: social engineering. I can give you > 10 different txt files, that contain javascript code. Every single one of > them doesn't do something special. Then I can give you a malicious plugin > that isn't related to the text files. .. eg: a presentation plugin, that will > allow you to present tiddlers in a nice way. ... The next time you save your > wiki the text files are combined into a library module, with full access to > your wiki data. > > So the problem here is, that you should only use plugins, that you really > trust! > > BUT that's not a TW problem. That's general security problem. > > -mario > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/b239496b-c4b3-48bd-8434-7e9d930964d5n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/749D8220-A0F0-45D2-8E5F-6BC3E6696804%40gmail.com.
