Harmandeep Singh Kandhari - Enhancing Plugin Security and Preventing Malicious Code Execution
-
Hi Everyone,
I’m Harmandeep Singh Kandhari, Health and Wellness Motivator. Now, I’m curious about what measures can users take to ensure installed plugins are safe and free from malicious code? Are there recommended verification steps, digital signature checks, or sandboxing practices to minimize security risks?
Thanks,
Harmandeep Singh Kandhari -
When you install through Plugins Admin, Notepad++ verifies that the hash of the downloaded zip file containing the plugin matches the hash that was supplied when the plugin was added to or updated in the plugins list.
That is all that is done. Aside from the three plugins included with Notepad++ (MIME Tools, Converter and NppExport), the author/maintainer of Notepad++ does not vet plugins.
Realistically, he could not do that comprehensively. And — in my opinion, wisely — he does not make a halfway, superficial attempt (like running them through a “virus checker”) which would only give a false sense of security and open up the project to claims that it didn’t do “enough.”
Further, it should be understood that plugins in Notepad++ are fully capable of doing anything Notepad++ itself can do. They are C++ programs (or the equivalent) running in the same security context as Notepad++. The architecture is very flexible, but it presumes one only installs plugins worthy of trust.
The user (or system administrator, in a managed system) is completely responsible for establishing the suitability of Notepad++ plugins (just as the same responsibility applies regarding Notepad++ itself). Nearly all are open source; you can examine the code, the issues, and so on. You cannot assume that inclusion in the plugins list means any plugin is “safe”; your own due diligence is required.
