Secure Modelines

[voyeg3r]

What?
Once in a while, modelines appear in articles about security issues. Vim has a plugin called securemodelines to avoid these issues.

Why?
The plugin should only use some options in modelines, those that do not bring any risk to our systems. It uses a variable called "secure_modelines_allowed_items".

Potential existing implementations:
There is at least one vim version of secure modelines tlvince/securemodelines

Potential pitfalls:
I never have developed any vim plugin, now with many Lua plugins coming out I intend to study the help the community

[matu3ba]

Can you explain in simple words how the modelines works? As I understand, modlines set file-specific settings that can be taken from a repository onto some file formats (cause you dont trust the repository).

How does this relate to the file content? Does (neo)vim automatically read (very unsafely) settings from the current repo?
How does this prevent accidental opening vim/neovim with the wrong flags, which subsequently opens files in an unsafe mode?

Should potentially malicious code/files not be opened with nvim -u NONE or nvim --clean ? I dont see how this would help.