Thanks @natevw for asking. This has been pretty new territory for us actually.
First, the marketplace, since that’s probably the most important thing to discuss with regards to the security of our application.
Currently, extensions are not sandboxed. Extensions are not automatically installed (except for 2 Saleae written & controlled ones) and we don’t auto-update extensions. It’s only possible to publish extensions from open source github repositories, making the source code for all extensions easily browsable. That’s about all we do at the moment though. We had a similar discussion here near the beginning of the extension marketplace development. Our first action was to take a look at what security measures similar tools took, such as Microsoft’s VS Code and Google Chrome, as well as npm and PyPI - which, in large, don’t provide any security for the end user either. One of my colleges can speak more about the possibility of sandboxing and the technical challenges involved in our application.
Second, you mentioned Electron, and the third party npm packages that we’re bringing with that. The main risk here, and I think the same one you’re thinking of, is that we could install a malicious npm module, and then deploy that to end user computers, where it runs in a privileged environment.
At the moment, we have pretty basic safeguards against this. Because we use yarn, the version of the npm package that is selected at install time, and is not automatically updated on clean builds of the application, and remains the same until we manually update a specific npm module (and it’s dependencies). This, at a minimum, protects us (and many other projects out there) from situations where an npm module is compromised. However, the risk remains that the npm module (or one of its dependencies) was already compromised. We do automatically get security alerts on our entire dependency graph. This is a problem common to all Electron apps, such as visual studio code, slack, or skype.
I’m curious to hear what your expectations are for marketplaces and installed desktop apps. Our software has been capable of loading 3rd party C++ plugins pretty much since launch, although we didn’t have a marketplace for easy distribution. I also think we can and should do a better job of setting expectations with marketplace content (there are currently 3 non-saleae created extensions). Overall, using Electron is a larger vector than our original C++ application, which only shipped with a handful of 3rd party libraries.
What would be particularly helpful (because we have been having trouble figuring it out ourselves) would be any examples of desktop applications with extension marketplaces that you think are doing things right.