I've been a long-timer Obsidian user with a number of plugins. Recently I launched ZeroQuarry (a product to scan code for security vulnerabilities) and pointed it at a number of Obsidian plugins. I was initially surprised to find out that so many of them had RCEs baked in: that if you open a malicious .md file, you could inadvertently run untrusted code.
I've reached out to a number of the Obsidian plugin maintainers for responsible disclosure to let them know about the issues and how to fix them, and what surprised me even more was that the most common response was roughly "yeah, we all know Obsidian plugins are basically unsafe when used against untrusted markdown content." I was surprised by this response as an Obsidian user with a number of plugins installed. It made me rethink how I think about plugins.
I like their new community program that attempts to identify some risks, but IMO it's just far too little. Obsidian really needs to have a sandboxed system. I've reached out to Obsidian as well to flag some of these risks and suggested a sandbox system as well, but haven't really had much progress in moving the needle, so I wanted to raise awareness here.
As far as I can tell, every issue you flagged in this article is now automatically caught in the new plugin review system launched last week. The new system prevents plugin updates from being released/downloaded if any of these issues are present.
The team is also working on adding permissions and more controls, see the recent announcement and HN discussion:
Since last week hundreds of plugins have been updated to patch vulnerabilities. That said there is a lot more to do and we're actively working on it. It's a very high priority.
If there are any other checks you think we should add to the automated review system I'd be happy to look into those. Since the review system is mostly open source you can also contribute to it directly, though perhaps that would be in conflict with the purpose of your company since our approach doesn't use AI for now?
I just left a job for a German B2B software company which sold primarily to large automotive, defense, and aerospace companies. Several of our customers specifically banned anything with the word "DeepSeek" -- hosted or self-hosted.
There's still a lot of naivety on what the difference is between models and platforms, and its easier for a lot of these big companies to just make a blanket statement like "nothing DeepSeek" than for their procurement teams to try to understand and negotiate with each vendor. They don't see the potential benefit over the potential risk of somebody misinterpreting or getting it wrong, so they outright ban it.
Most people that approve or buy software simply also just don't understand how models are being trained or if it's possible/how far a model could go to "introduce backdoors." A backdoor could be, from a business perspective, a model which has been trained to give answers that could hurt western business in a "strict text mode" or produces payloads in a programmatic mode that are intentionally trained to introduce software vulnerabilities.
Anyone can make arguments against these for a variety of reasons (looking at the transparency of both sides and comparing, etc) but for many reasons today and for better or worse, many Chinese models are being banned on big software contracts, which gets back to the title of the article
Thing is these models can also be a propaganda machine whether you run it locally or not. This is true no matter the origins. Chinese LLMs will never shit-talk CCP, and it will always give a rosy depiction of the Chinese government. It's perfectly understandable if companies don't want things like that. US/EU models have these problems too, but at least there are some ways to fight that: with a lawsuit or a megaphone on social networks. With Chinese models there is nothing you can do.
I've been running my own security scanning software (disclaimer: now starting a company @ zeroquarry.com) for this, and from what I've seen there's a huge value in prompts + adversarial LLM review. Without adversarial review, you get garbage (as this blog points out: 4/5 basically are nonsense) and with a good prompt, you can use almost any "near frontier" model from my experience as long as the prompt helps with the guardrails or the model doesn't protect in such a strict way
Except that a lot of software likely is already broken in fun ways we currently don't know about. That is what makes it such a "fun" challenge. Supply chain attacks are one thing, but CVEs in already released software allowing other attackers are another.
As always, I know most of us work in IT, but things rarely are actually binary.
We found a critical RCE in the popular Obsidian Tasks plugin. It's now been fixed, but wanted to let others know to update ASAP. A malicious markdown file can trigger the RCE
Some things may be obvious to a lot of readers, but I want to spell things out explicitly because sometimes "OSS" etc have a lot of conflations.
A license in the software sense is effectively the legal terms and conditions for using the software in any way. A license can define anything your legal mind can dream up: "only usable when you wear a red shirt," "only usable on the third Tuesday of the month," etc. You can multi-license things: "License A is that you can only use this software when you wear a red shirt. License B is that you can only use it on the third Tuesday of the month. This software is dual licensed under A and B: you can choose which license you want to use, but you must use one of them if you want to use the software legally, because those are the legal conditions I've laid out in using the software." If you use the software on Wednesday wearing a blue shirt, you're operating it against the terms and effectively are in breach of the license. This is (part of) why putting source code out on the internet isn't the same as "open source" and why downloading and using source code you find without reviewing the actual license terms may end you up in hot water. It's why standardized licenses are so helpful to legal teams that review these sorts of things at corporations.
These are obviously facetious examples, but most for-profit entities might choose a dual licensing structure where "if you want to run it for free, you choose something in the realm of open source licenses and if you don't like the terms of those licenses, you pay us for a license that gives you something else." In cases like the blog author's here: you say "option A is AGPL" and "option B is you pay us for a license to remove AGPL and which gives you different rights." You hope enough companies are scared by AGPL to want to pay you for the non-AGPL version and the distribution/OSS-friendly nature of AGPL helps you build a user-base enough that by the time it gets to a legal team to approve/deny, that the legal team denies and is willing to pay to make the problem go away.
One thing I mention to folks that seem to think AGPL "protects you" against a major corporation incorporating your product into a SaaS product: it mostly doesn't.
It isn't written about often, but it's the reason many "open core" companies moved away from AGPL to protect their revenue from larger SaaS/IaaS/PaaS players from eating their lunch.
Law does not run on a CPU with certainty. There is risk analysis going on: there are many jurisdictions at play. When you are big enough, something that has fundamentally viral characteristics by design can have catastrophic impact even if reading of the license as linked would be almost certainly accepted as correct and likely. Therefore, especially for a company like Google that has a unified codebase, that treatment is justified. So goes for other big companies who would be at least wary of just taking AGPL.
It kinda does have that effect, because large companies are allergic to AGPL by policy, even if they otherwise have processes to get GPL software into use. The very companies that have the pocketbook to pay for your software, are also structurally incapable of using it as FOSS. Smaller ones that are more agile about how they incorporate it, have less willingness to pay for a different license.
Sure, but there's a case I'm particularly aware of where one of the major cloud infrastructure providers was about to host a significant AGPL-licensed project without modifications because their lawyers had reviewed it and determined it would have been OK. The particular VC-backed open-core company then got word of it and changed their license off of AGPL. IYKYK
Technologies: Python, Lua, Docker, Java, pretty much all SQL/NoSQL. But I'm a bit unusual here in that my focus tends to be a bit more on the product side than the engineering.
About: I've worked in leadership positions at the border of product and engineering at several tech-heavy companies. I was head of product for Elasticsearch and Kong, CPO at SPREAD GmbH, and just moved from Germany to Australia earlier this year after having spent most of my career in San Francisco area. I'm currently very interested in product security areas especially and have been launching https://zeroquarry.com
I'm a technologist turned product manager and into product leadership. Most of my career has been leading product teams in complex B2B applied ML/AI and "big data" products. I was product lead for Elasticsearch @ Elastic, Kong @ Kong, Vectara's head of product, and currently CPO @ SPREAD AI. We've recently relocated our family to Australia due to my wife changing positions, and realistically can't be at a company where everyone in the company is in/near Germany except me (the hours just don't work for a company that isn't committed to remote work).
I've reached out to a number of the Obsidian plugin maintainers for responsible disclosure to let them know about the issues and how to fix them, and what surprised me even more was that the most common response was roughly "yeah, we all know Obsidian plugins are basically unsafe when used against untrusted markdown content." I was surprised by this response as an Obsidian user with a number of plugins installed. It made me rethink how I think about plugins.
I like their new community program that attempts to identify some risks, but IMO it's just far too little. Obsidian really needs to have a sandboxed system. I've reached out to Obsidian as well to flag some of these risks and suggested a sandbox system as well, but haven't really had much progress in moving the needle, so I wanted to raise awareness here.
reply