Skip to content

Security: manu-p-1/PowerPlug

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.9.x
< 0.9

Reporting a Vulnerability

If you discover a security vulnerability in PowerPlug, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainers directly at the email address listed in the repository's author profile. Include:

  1. A description of the vulnerability
  2. Steps to reproduce the issue
  3. The potential impact
  4. Any suggested fix (if applicable)

You should receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix and disclosure timeline.

Security Considerations

PowerPlug manipulates the user's PowerShell $PROFILE and executes commands in the current runspace. Users should be aware of the following:

  • Profile modificationNew-Byname, Set-Byname, and Remove-Byname write to and modify $PROFILE. Only run these cmdlets in trusted environments.
  • Script block executionInvoke-Retry and Measure-ScriptBlock execute user-provided script blocks. Do not pass untrusted input as script blocks.
  • File operationsMove-Trash, Compare-Hash, ConvertTo-Base64, and ConvertFrom-Base64 operate on the file system. Paths are resolved relative to the PowerShell working directory.
  • Hash algorithmsCompare-Hash supports MD5 for legacy compatibility. MD5 is cryptographically broken and should not be used for security-critical verification. Prefer SHA256 or SHA512.
  • Regex timeout — All regex operations in profile manipulation use a 5-second timeout to prevent ReDoS attacks from malicious profile content.
  • Network speed testingGet-Speed connects to Cloudflare's speed test endpoints (speed.cloudflare.com) by default to measure download and upload speeds, and pings 1.1.1.1 for latency. This means data is sent to and received from Cloudflare's servers during a speed test. No personally identifiable information is transmitted beyond what is inherent to an HTTP request (source IP address, user-agent string PowerPlug-SpeedTest/0.9.0). Custom endpoints can be specified via the -DownloadUrl, -UploadUrl, and -LatencyHost parameters if you prefer not to use Cloudflare. Upload payloads are randomly generated bytes with no user data.

Dependencies

  • Ampere (0.9.2) — Utility library by the same author. Reviewed and trusted.
  • PowerShellStandard.Library (5.1.1) — Official Microsoft package for building PowerShell modules.

There aren’t any published security advisories