How trustful are KeePass plugins?

Question

KeePass is great, I love it but after several years using it, sometimes I wish to install a plugin but I don't because I'm scared of what this plugin can really do without my consent.

The documentation about plugin development is really short. I downloaded and compiled the source code but I don't understand where is the API list of functions plugins have access to.

As said in the documentation, the PLGX format is a "not yet compiled" format

Instead of compiling your plugin to a DLL assembly, the plugin source code files can be packed into a PLGX file and KeePass will compile the plugin itself when loading it

So it should be possible to read these files. How to do this?

Let's take the example of Favicon downloader or even Password counter. These 2 plugins clearly show that they both have access to internet and my passwords. So how can I be sure they don't steal them? I mean they could just send all my information to a server and I'd never know it.

So if there is no way for me to read the PLGX files, the only way to ensure an optimum security is to develop my own plugins by myself?

The short answer to your last line is simply: yes. Code review is the only sure way to determine what code is designed to do. — schroeder, May 24 '17 at 06:19
We cannot answer "how trustful" because it's an opinion. We cannot answer how to read a proprietary file format, because that's not a security question. — schroeder, May 24 '17 at 06:20
Alright so the answer to my question is that I have to code my own plugins since these plugins' source code are not open-source. (or I analyse the KeePass source code to make my own PLGX decompiler which would be a very useful alternative...) — Jérôme MEVEL, May 24 '17 at 07:22
It's a fact of software and why open source is so important in terms of security and privacy. — schroeder, May 24 '17 at 08:46
So thankfully KeePass is open source under GNU Licence so in about 2 hours I modified the code and compiled my own `keepass.exe` to extract plugins' source files in a folder. Checked the code and saw a Source Forge URL and then I realized that the code was publicly available. I just didn't see the `code` link that leads to the real source code instead of the PLGX file. I feel like a good developer but a dumb guy at the same time now... — Jérôme MEVEL, May 24 '17 at 09:01
Awesome work! Sounds like a nice thing to post on GitHub so others can decompile plugins for review purposes .... ;) — schroeder, May 24 '17 at 09:49
This is a very "dirty" work I have done and is far from being a "real" decompiler but yes it works. You are right I should share this piece of code since GNU license allows modification and redistribution. I will post an answer on this page when it's on GitHub. — Jérôme MEVEL, May 24 '17 at 09:54

Jérôme MEVEL · Accepted Answer · 2017-05-25T08:19:28.603

So in short, the only way to ensure an optimum security with the KeePass plugins is to review their codes by yourself.

The only problem is that some of them are open source, some others are not. Moreover in case of an open source plugin, you can't be sure the PLGX file you downloaded really correspond to the public available source code. Therefore either you generate the PLGX file by yourself or you review the code of the PLGX file directly.

I chose the second solution as it also allows to review the code of non-open source plugins.

I modified a tiny bit the code of KeePass 2.35 in order to achieve that. The project with installation instruction is available at https://github.com/jmevel/KeePassPluginsSourceCode

The code is quite simple and resides in the KeePass/Plugins/PlgxCsprojLoader.cs file only.

I won't provide you the keepass.exe file directly because it doesn't make sense, you have to compile it by yourself. Otherwise how would you know what this .exe file is really doing...?

Happy code review everybody!

Lie Ryan · Answer 2 · 2017-05-24T17:50:28.557

5

A KeePass plugin can do pretty much anything that KeePass itself can, it is effectively just a .NET library. AFAIK, there is no sandboxing at all to a KeePass plugin. So unless you decompile and do a code review, you have to trust the plugin's author(s), the person that compiled the plugin, and that the plugin hasn't been tampered in transit. A plugin is pretty much capable of sending your entire password lists to the internet, or format your harddisk if you run KeePass as a user with privilege to do that.

Also, when you're reviewing a KeePass plugin's source, don't forget to also review the --plgx-build-pre: and --plgx-build-post: code. Any shell commands can be run during plugin compile/install with those options.

edited May 24 '17 at 17:50

answered May 24 '17 at 17:35

Lie Ryan

31,089
6
68
93

The OP created a version of KeePass that permits code review of plugins! – schroeder May 25 '17 at 07:33
1

That's strange my comment disappeared. I was saying thank you @Lie Ryan for the pre/post build tips. I didn't think about it – Jérôme MEVEL May 25 '17 at 08:12

score 2 · Answer 3 · answered Sep 09 '20 at 17:40

In Windows you could also create a firewall rule that prevents KEEPASS.EXE from doing outgoing communications.

It will prevent KEEPASS from checking for updates, but at least it prevents the small possibility of a rogue PLGX sending anything out once compiled into KEEPASS.

How trustful are KeePass plugins?

3 Answers3