Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is this package secure? #72

Open
kkHAIKE opened this issue Jan 22, 2024 · 7 comments
Open

Is this package secure? #72

kkHAIKE opened this issue Jan 22, 2024 · 7 comments
Labels
question

Comments

@kkHAIKE
Copy link

kkHAIKE commented Jan 22, 2024

I noticed that some packages with very low stars have been included. I think this repository should prioritize security.
@zellyn
Copy link
Collaborator

zellyn commented Jan 22, 2024

I mean, it's called "kooky" for a reason. You'd be crazy to use it! 😂

@adamdecaf
Copy link
Contributor

@kkHAIKE Do you have any specific concerns or questions about this codebase?

@kkHAIKE
Copy link
Author

kkHAIKE commented Jan 23, 2024

Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.

@zellyn
Copy link
Collaborator

zellyn commented Jan 23, 2024
edited
Loading

I really like the idea of trying to keep the dependencies as minimal as possible, but I'm not knowledgeable enough about the various cookie and secret stores to remove any of the current dependencies easily. 😞
Some of them, like ordereddict, we should look into…

@xob0t
Copy link

xob0t commented May 3, 2024

Just a bit anxious, but there are no other options. Worried that he might be manipulated by malicious packages or PR control.

there is other way to get cookies, at least for chrome
rod

@srlehn
Copy link
Collaborator

srlehn commented May 25, 2024
edited
Loading

rod asks a running chrome instance for the cookies afaik.

break down of the few dependencies:

# needed for decryption
github.com/keybase/go-keychain
github.com/zalando/go-keyring
github.com/godbus/dbus/v5

# needed for pure go sqlite
github.com/go-sqlite/sqlite3
github.com/gonuts/binary - only 300 lines, easy to proofread

# for firefox (querying profile location in profiles.ini config file)
github.com/go-ini/ini

# for example program
github.com/spf13/pflag

# for firefox host field in the sqlite db - see #69
github.com/bobesa/go-domain-util

# ESE parsing for old IE/Edge cookie stores
# Velocidex does digital forensic
www.velocidex.com/golang/go-ese
github.com/Velocidex/ordereddict - pulls in the yaml + json packages
# 10k lines (yaml+json+spew) balast that we could strip off with an internal fork of the ese package
github.com/Velocidex/yaml/v2
github.com/Velocidex/json
github.com/davecgh/go-spew - pulled in by the ese package

# official x packages
golang.org/x/crypto
golang.org/x/net
golang.org/x/sys
golang.org/x/text

@srlehn
Copy link
Collaborator

srlehn commented May 26, 2024

I noticed that some packages with very low stars have been included. I think this repository should prioritize security.

A low star count doesn't mean bad security.
gonuts/binary, for example, was probably one of the few package options available when it was chosen as a dependency for the go-sqlite/sqlite3 package a few years ago, on which kooky itself depends. "binary" consists of only 300 lines of code in a single go file.
The yaml, json, go-spew dependencies pulled in by our ESE parser dependency on the other hand is useless balast we really could strip off...

@srlehn srlehn mentioned this issue May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zellyn @kkHAIKE @adamdecaf @xob0t @srlehn