| ▲ | sciencejerk 10 hours ago | |
Is tasks.json automatically run? I thought additional user interaction was required? | ||
| ▲ | zvqcMMV6Zcr 2 hours ago | parent | next [-] | |
Does it matter that much? I don't think there is any "safe" build system. Users will try to build project sooner or later. With Maven it is easy to add a plugin with harmful payload as dependency, you won't spot it in "source", unless you carefully review every dependency. IDEs need containers/isolation and they need it now. Instead we got that "Do you trust this project" dialog. | ||
| ▲ | fulafel 9 hours ago | parent | prev [-] | |
The article doesnt' claim it's executed straight up either ("can result") but it's pretty ambiguous: > When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system. In the screenshot the task is named "node" - so it's a bit like embedding a malicious Makefile target as a backdoor. Except harder to spot since it's in a obscure .vscode/somethingsomething json file. (And probably you can easily fool GH Copilot to run it) | ||