The README says
Given full control of the non-native component of the extension, an attacker may be able to list and decrypt .gpg files that can be accessed by the current user, but cannot execute arbitrary code outside of the browser.
however the extension gets to specify the path of the "gpg" binary, its stdin (for the save action), and its final argument (after --output).
It might require a bit of creativity to find a binary that ignores the fixed arguments but still allows arbitrary code execution given these attacker-inputs, but I would not bet against it.
The README says
however the extension gets to specify the path of the "gpg" binary, its stdin (for the save action), and its final argument (after
--output).It might require a bit of creativity to find a binary that ignores the fixed arguments but still allows arbitrary code execution given these attacker-inputs, but I would not bet against it.