Scripting: Security considerations

From Freeplane - free mind mapping and knowledge management software
Revision as of 00:25, 12 March 2013 by Boercher (talk | contribs)

Groovy, the scripting language of choice in Freeplane is a full-fledged programming language which can nearly do everything with your computer if it's unconstrained. For this reason Freeplane severely restricts script execution after installation. For script development and for using scripts most of the restrictions should be disabled.

Disabling these restriction doesn't cause a threat by its own although you should be very careful...

  • with scripts from persons that you don't know,
  • with maps that contain scripts (see Map local scripts), and
  • when writing your own scripts.

That said normal scripts in Freeplane are less dangerous than macros contained in Office documents since there are no hooks that may start scripts on load of a map or on start of Freeplane. Every script invocation is triggered by you alone so the best advice might be this:

  • think twice before installing a script,
  • think twice before executing a script,

and everything should be safe - even if you disable most of the restrictions.

Script developers and regular script users will certainly check the following options in the Preferences under Tools->Preferences->Scripting:

  • Scripts should be carried out without confirmation?
  • Permit File Operations (NOT recommended)
  • Trust signed scripts (recommended)

The other options may not be necessary to check:

  • Permit Network Operations (NOT recommended)
  • Permit to Execute other Applications (NOT recommended)

Formulas

Formulas are somewhat similar to Office macros in that they are evaluated on loading of a map. But formulas are restricted without anyone having the possibility to override this restrictions manually. The worst a formula can do is to read and display local files if you have given scripts the "read file" permission. (That is needed if you have extended the classpath of scripts.) So be careful but not anxious.