Comment by pmontra

4 hours ago

My first reaction has been: when we install some node modules, import them and eventually run them, we do grant local execution permissions to whatever the authors of those modules coded in their scripts, right? More or less every language already suffer from the same problem. Who vets the code inside a Ruby gem, a Python package, etc? Add your favorite language.

However I did not know about tasks.json (I don't use VSC) and when I googled it I found the example at https://code.visualstudio.com/api/extension-guides/task-prov... and that is about running rake (Ruby.) So this is a little worse than installing malicious packages: the trigger is opening a malicious repository from the editor. Is this a common practice? If it is, it means two things: 1) the developer did not take an explicit choice of installing and running code, so even the possibility of an attack is unexpected and 2) it affects users of any language, even the ones that have secured package installation or have no installation of packages from remote.

26 comments

pmontra

echoangle 4 hours ago

You get asked if you trust the folder you’re opening every single time you open a new folder in VsCode. Everyone probably always just says yes but it’s not like it doesn’t tell you that opening untrusted folders is dangerous.

mjdv 4 hours ago
Until this post it wasn't clear to me that just opening and trusting a directory can cause code to be run without taking any other explicit actions that seem like they might involve running code, like running tests. My bad, but still!
- jasode 5 minutes ago
  
  reply to multiple comments :
  mjdv : > it wasn't clear to me that just opening and trusting a directory
  andy_ppp : >obviously I wasn’t explicit enough in explaining I’m talking about code execution simply by opening a directory.
  Understandably, there's a disconnect in the mental model of what "opening a folder" can mean in VSCode.
  In 99% of other software, folders and directories are purely navigation and/or organization and then you must go the extra step of clicking on a particular file (e.g. ".exe", ".py", ".sh") to do something dangerous.
  Furthermore, in classic Visual Studio, solutions+projects are files such as ".sln" and ".vcsproj" or a "CMakeLists.txt" file.
  In contrast, VSCode projects can be the folders. Folders are not just purely navigation. So "VSCode opening a folder" can act like "MS Excel opening a .xlsm file" that might have a (dangerous) macro in it. Inside the VSCode folder may have a "tasks.json" with dangerous commands in it.
  VSCode uses "folders" instead of a top-level "file" as a semantic unit because it's more flexible for multiple languages.
  To re-emphasize, Windows File Explorer or macOS Finder "opening a folder" do not run "tasks.json" so it is not the same behavior as VSCode opening a folder.
- echoangle 3 hours ago
  
  The message displayed when asking if you want to trust the directory is pretty clear about it.
  https://code.visualstudio.com/docs/editing/workspaces/worksp...
  
  4 replies →
- andy_ppp 3 hours ago
  
  What is the stated reasoning for arbitrary code execution as a feature? Seems pretty mad to me.
  
  9 replies →
duskdozer 3 hours ago
The message isn't very clear on what exactly is allowed to happen. Just intuitively, I wouldn't have expected simply opening a folder would "automatically execute tasks" because that's strange to me
- echoangle 3 hours ago
  
  https://code.visualstudio.com/docs/editing/workspaces/worksp...
  It is very clear, the first sentence it that it may automatically execute code.
  
  3 replies →
sroussey 4 hours ago

This is when I say no.
Then copy-paste my default .dev-container directory and reload.

realusername 2 hours ago

The reason it's worse in the js ecosystem is that you need way more packages than your average language to build anything functional.