1

If you write a flutter app and use the isar storage engine, the running app emits something like this:

flutter: ╔════════════════════════════════════════════════════╗
flutter: ║                ISAR CONNECT STARTED                ║
flutter: ╟────────────────────────────────────────────────────╢
flutter: ║        Open the link to connect to the Isar        ║
flutter: ║       Inspector while this build is running.       ║
flutter: ╟────────────────────────────────────────────────────╢
flutter: ║ https://inspect.isar.dev/3.0.2/#/345/CbIdfsdfsd76  ║
flutter: ╚════════════════════════════════════════════════════╝

Obviously isar inspector requires the running app to call home, so that inspect.isar.dev in a browser window is able to communicate with the running app.

Is this assumption correct?

In case someone needs a purely private development environment, this may conflict with their policy.

SteAp
  • 11,853
  • 10
  • 53
  • 88
  • For the one who voted for close: This question isn't directly related to writing flutter software. But Isar Inspector is a part of the 'development pipeline' of isar. Therefore, I'd be happy to keep it, so other developers can decide, if this solution is fine for them. Or too risky. – SteAp Oct 20 '22 at 18:43
  • 1
    We can't answer the question in the title: "is isar inspector a security issue?". A DNS lookup of `inspect.isar.dev` reveals that it's (currently) hosted as a github.io site, meaning that whatever it does, it's controlled by _not you_. Whether it's a security issue comes down to whether you personally (or your IT policy) trust that kind of thing. – Roger Lipscombe Oct 20 '22 at 19:08
  • @RogerLipscombe Thank you, Roger. I changed the question a bit. Would be happy, if it could be kept open. In these days of flaws everywhere around us... – SteAp Oct 20 '22 at 19:16

1 Answers1

0

isar's open() method allows to disable the inspector, but defaults to true:

  static Future<Isar> open(
    List<CollectionSchema<dynamic>> schemas, {
    String? directory,
    String name = defaultName,
    bool relaxedDurability = true,
    CompactCondition? compactOnLaunch,
    bool inspector = true,
  })

If the parameter inspector gets assigned true, the connection to inspect.isar.dev gets prepared by calling _IsarConnect.initialize(schemas):

/// Tree shake the inspector for profile and release builds.
assert(() {
  if (!_kIsWeb && inspector) {
    _IsarConnect.initialize(schemas);
  }
  return true;
}());

Code from isar.dart around line 100.

SteAp
  • 11,853
  • 10
  • 53
  • 88