Protect your SketchUp extensions from vulnerabilities! 
Our latest article, ‘Security Best Practices,’ dives deep into common pitfalls like code injection and unsafe data handling. Learn how to build more robust and trustworthy extensions by understanding how to properly escape data, avoid dangerous functions like eval, and secure file operations. Essential reading for every SketchUp developer aiming to safeguard their users and their work.
Read the full guide here: https://developer.sketchup.com/article-security-best-practises
Article: Security Best Practices, section Ruby Code Injection
I think that Sketchup.read_default runs returned strings through eval.
Is this still the case?
Hi, I’m not a programmer, but I use AI to create extensions useful for me (I will hopefully share them for free when they are tested and verified enough).
I try to follow all the best practices (at least those which I’m aware of) in order to play safe and avoid AI slop.
I constantly run Rubocop on my extensions whenever I edit them, in order to spot potential problems left behind by AI agents.
Yesterday I linked your article as “source of truth” to an AI agent in order to doublecheck my codebase looking for vulnerabilities.
It found 2 “JavaScript Injection” potential vulnerabilities, which I will fix today (apparently it’s just a matter of a few lines of code that need easy patching).
Would be potentially possible to include this kind of errors in Rubocop?
Apparently it completely missed those.