←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
421 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.204s | source
Show context
gejose ◴[19 Sep 25 23:42 UTC] No.45308131[source]
This is one way to look at it, but ignores the fact that most users use third party community plugins.

Obsidian has a truly terrible security model for plugins. As I realized while building my own, Obsidian plugins have full, unrestricted access to all files in the vault.

Obsidian could've instead opted to be more 'batteries-included', at the cost of more development effort, but instead leaves this to the community, which in turn increases the attack surface significantly.

Or it could have a browser extension like manifest that declares all permissions used by the plugin, where attempting to access a permission that's not granted gets blocked.

Both of these approaches would've led to more real security to end users than "we have few third party dependencies".

replies(18): >>45308149 #>>45308208 #>>45308212 #>>45308222 #>>45308224 #>>45308241 #>>45308572 #>>45308600 #>>45308749 #>>45310219 #>>45310642 #>>45310881 #>>45310991 #>>45311185 #>>45311760 #>>45311782 #>>45312975 #>>45313054 #
justsomehnguy ◴[19 Sep 25 23:53 UTC] No.45308222[source]
> Obsidian plugins have full, unrestricted access to all files in the vault.

And how exactly you can solve that?

I don't want to press 'allow access' on the every file some plugin is accessing.

replies(2): >>45308268 #>>45308541 #
1. schmichael ◴[19 Sep 25 23:59 UTC] No.45308268[source]
One of the large dependencies they call out is an excellent example: pdf.js.

There is no reason for pdf.js to ever access anything other than the files you wish to export. The Export to PDF process could spawn a containerized subprocess with 0 filesystem or network access and constrained cpu and memory limits. Files could sent to the Export process over stdin, and the resulting PDF could be streamed back over stdout with stderr used for logging.

There are lots of plugin systems that work this way. I wish it were commodofied and universally available. AFAIK there's very little cross-platform tooling to help you solve this problem easily, and that's a pity.