Comment by pmontra

3 hours ago

My first reaction has been: when we install some node modules, import them and eventually run them, we do grant local execution permissions to whatever the authors of those modules coded in their scripts, right? More or less every language already suffer from the same problem. Who vets the code inside a Ruby gem, a Python package, etc? Add your favorite language.

However I did not know about tasks.json (I don't use VSC) and when I googled it I found the example at https://code.visualstudio.com/api/extension-guides/task-prov... and that is about running rake (Ruby.) So this is a little worse than installing malicious packages: the trigger is opening a malicious repository from the editor. Is this a common practice? If it is, it means two things: 1) the developer did not take an explicit choice of installing and running code, so even the possibility of an attack is unexpected and 2) it affects users of any language, even the ones that have secured package installation or have no installation of packages from remote.

13 comments

pmontra

echoangle 2 hours ago

You get asked if you trust the folder you’re opening every single time you open a new folder in VsCode. Everyone probably always just says yes but it’s not like it doesn’t tell you that opening untrusted folders is dangerous.

mjdv 2 hours ago
Until this post it wasn't clear to me that just opening and trusting a directory can cause code to be run without taking any other explicit actions that seem like they might involve running code, like running tests. My bad, but still!
- echoangle 1 hour ago
  
  The message displayed when asking if you want to trust the directory is pretty clear about it.
  https://code.visualstudio.com/docs/editing/workspaces/worksp...
- andy_ppp 1 hour ago
  
  What is the stated reasoning for arbitrary code execution as a feature? Seems pretty mad to me.
  
  2 replies →
duskdozer 1 hour ago
The message isn't very clear on what exactly is allowed to happen. Just intuitively, I wouldn't have expected simply opening a folder would "automatically execute tasks" because that's strange to me
- echoangle 1 hour ago
  
  https://code.visualstudio.com/docs/editing/workspaces/worksp...
  It is very clear, the first sentence it that it may automatically execute code.
  
  2 replies →
sroussey 2 hours ago

This is when I say no.
Then copy-paste my default .dev-container directory and reload.

realusername 3 minutes ago

The reason it's worse in the js ecosystem is that you need way more packages than your average language to build anything functional.