Scripting: Security considerations

From Freeplane - free mind mapping and knowledge management software
Revision as of 16:00, 4 November 2011 by Jokro (talk | contribs)

Groovy, the scripting language of choice in Freeplane is a full-fledged programming language which can nearly do everything with your computer if it's unconstrained. For this reason Freeplane severely restricts script execution after installation. For script development and for using scripts most of the restrictions should be disabled.

Disabling these restriction doesn't cause a threat by its own although you should be very careful...

  • with scripts from persons that you don't know,
  • with maps that contain scripts (see Map local scripts), and
  • when writing your own scripts.

That said scripts in Freeplane are less dangerous than macros contained in Office documents since there are no hooks that may start scripts on load of a map or on start of Freeplane. Every script invocation is triggered by you alone so the best advice might be this:

  • think twice before installing a script,
  • think twice before executing a script,

and everything should be safe - even if you disable most of the restrictions.

Script developers and regular script users will certainly check the following options in the Preferences under Tools->Preferences->Scripting:

  • Scripts should be carried out without confirmation?
  • Permit File Operations (NOT recommended)
  • Trust signed scripts (recommended)

The other options may not be necessary to check:

  • Permit Network Operations (NOT recommended)
  • Permit to Execute other Applications (NOT recommended)