How trustful are KeePass plugins?
So in short, the only way to ensure an optimum security with the KeePass plugins is to review their codes by yourself.
The only problem is that some of them are open source, some others are not. Moreover in case of an open source plugin, you can't be sure the PLGX file you downloaded really correspond to the public available source code. Therefore either you generate the PLGX file by yourself or you review the code of the PLGX file directly.
I chose the second solution as it also allows to review the code of non-open source plugins.
I modified a tiny bit the code of KeePass 2.35 in order to achieve that. The project with installation instruction is available at https://github.com/jmevel/KeePassPluginsSourceCode
The code is quite simple and resides in the KeePass/Plugins/PlgxCsprojLoader.cs
file only.
I won't provide you the keepass.exe
file directly because it doesn't make sense, you have to compile it by yourself. Otherwise how would you know what this .exe file is really doing...?
Happy code review everybody!
A KeePass plugin can do pretty much anything that KeePass itself can, it is effectively just a .NET library. AFAIK, there is no sandboxing at all to a KeePass plugin. So unless you decompile and do a code review, you have to trust the plugin's author(s), the person that compiled the plugin, and that the plugin hasn't been tampered in transit. A plugin is pretty much capable of sending your entire password lists to the internet, or format your harddisk if you run KeePass as a user with privilege to do that.
Also, when you're reviewing a KeePass plugin's source, don't forget to also review the --plgx-build-pre:
and --plgx-build-post:
code. Any shell commands can be run during plugin compile/install with those options.
In Windows you could also create a firewall rule that prevents KEEPASS.EXE from doing outgoing communications.
It will prevent KEEPASS from checking for updates, but at least it prevents the small possibility of a rogue PLGX sending anything out once compiled into KEEPASS.