| |
| ▲ | mjdv 5 hours ago | parent | next [-] | | Until this post it wasn't clear to me that just opening and trusting a directory can cause code to be run without taking any other explicit actions that seem like they might involve running code, like running tests. My bad, but still! | | |
| ▲ | jasode 2 hours ago | parent | next [-] | | reply to multiple comments : mjdv : > it wasn't clear to me that just opening and trusting a directory andy_ppp : >obviously I wasn’t explicit enough in explaining I’m talking about code execution simply by opening a directory. Understandably, there's a disconnect in the mental model of what "opening a folder" can mean in VSCode. In 99% of other software, folders and directories are purely navigation and/or organization and then you must go the extra step of clicking on a particular file (e.g. ".exe", ".py", ".sh") to do something dangerous. Furthermore, in classic Visual Studio, solutions+projects are files such as ".sln" and ".vcsproj" or a "CMakeLists.txt" file. In contrast, VSCode projects can be the folders. Folders are not just purely navigation. So "VSCode opening a folder" can act like "MS Excel opening a .xlsm file" that might have a (dangerous) macro in it. Inside the VSCode folder may have a "tasks.json" with dangerous commands in it. Once the mental model groks the idea that a "folder" can have a special semantic meaning of "project+tasks" in VSCode, the warning messages saying "Do you trust this folder?" make more sense. VSCode uses "folders" instead of a top-level "file" as a semantic unit because it's more flexible for multiple languages. To re-emphasize, Windows File Explorer or macOS Finder "opening a folder" do not run "tasks.json" so it is not the same behavior as VSCode opening a folder. | | |
| ▲ | EGreg an hour ago | parent | next [-] | | Oh man! Microsoft was the #1 company with this problem for over 25 years and they still do it? Word and Excel “MACROS” used to be THE main vector for kiddie viruses. Come on M$ … billions of dollars and you’re still loading up non-interactive code execution in all your documents that people expect to be POD (Plain Old Data)? https://support.microsoft.com/en-us/office/protect-yourself-... Is it so much to ask for your software to AT LEAST warn peole when it’s about to take a destructive action, and keep asking until the user allows that class of thing non-interactivlely ONLY FOR THAT SIGNED SOFTWARE? Apple does other software things really badly with their millions of dollars, but they get Privacy RIGHT: https://www.youtube.com/watch?v=XPogdNafgic | |
| ▲ | an hour ago | parent | prev [-] | | [deleted] |
| |
| ▲ | echoangle 4 hours ago | parent | prev | next [-] | | The message displayed when asking if you want to trust the directory is pretty clear about it. https://code.visualstudio.com/docs/editing/workspaces/worksp... | | |
| ▲ | CjHuber 3 hours ago | parent | next [-] | | I don't like the way it is handled. Imagine Excel actively prompting you with a pop up every time you open a sheet: "Do you trust the authors of this file? If not you will loose out on cool features and the sheet runs in restricted mode" No it doesn't because restricted mode without Macros is the default and not framed like something bad or loosing out on all of those nice features, | | | |
| ▲ | Nathanba an hour ago | parent | prev | next [-] | | It's worded really badly, so vscode is the thing that provides the dangerous features? No problem, I know and trust vscode. What the message should be warning about is that the folder may contain dangerous code or configuration values that can execute upon opening due to vscode features that are enabled by default. That sounds worse for them but that would be honest. | | |
| ▲ | Cthulhu_ an hour ago | parent [-] | | But you, as a security conscious software developer, know that the phrase "may automatically execute files" can also be "with malicious intent" - the tradeoff that whoever made the text (and since it's open source it's likely been a committee talking about it for ages) had to make is conciseness vs clarity. Give people too much text and they zone out, especially if their objective is "do this take home exercise to get a job" instead of "open this project carefully to see if there's any security issues in it". This problem goes back to uh... Windows Vista. Its predecessors made all users an admin, Vista added a security layer so that any more dangerous tasks required you to confirm. But they went overboard and did it for anything like changing your desktop background image, and very quickly people got numb to the notice and just hit 'ok' on everything. Anyway. In this particular case, VS Code can be more granular and only show a popup when the user tries to run a task saying something like "By permitting this script to run you agree that it can do anything, this can be dangerous, before continuing I'm going to open this file so you can review what it's about to do" or whatever. |
| |
| ▲ | OoooooooO 3 hours ago | parent | prev [-] | | The message, at least for me, does not convey that merely opening may lead to code execution. | | |
| ▲ | hn-acct an hour ago | parent | next [-] | | Other IDEs do this too btw | |
| ▲ | rcxdude 3 hours ago | parent | prev [-] | | Really? "May automatically execute files" suggests to me that at least code could execute without me taking any further explicit action. |
|
| |
| ▲ | andy_ppp 5 hours ago | parent | prev | next [-] | | What is the stated reasoning for arbitrary code execution as a feature? Seems pretty mad to me. | | |
| ▲ | __jonas an hour ago | parent | next [-] | | Here are some examples: - ESLint, the most commonly used linter in the JavaScript ecosystem uses a JavaScript file for configuration (eslint.config.mjs), so if you open a JS project and want your editor to show you warnings from the linter, an extension needs to run that JS - In Elixir, project configuration is written in code (mix.exs), so if you open an Elixir project and want the language server to provide you with hints (errors, warnings and such), the language server needs to execute that code to get the project configuration. More generally it will probably want to expand macros in the project, which is also code execution. - For many languages in general, in order to analyze code, editor extensions need to build the project, and this often results in code execution (like through macros or build scripts like build.rs, which I believe rust-analyzer executes) | |
| ▲ | rcxdude 3 hours ago | parent | prev | next [-] | | When you open up a folder in VS code, addons can start to set up language servers to index the code in the folder. This usually involves invoking build systems to set those up. (I think some people are fixating on the specific feature that's mentioned in the article. The reason this pop-up exists is that there are many ways that this code execution could happen. Disabling this one feature doesn't make it safe, and this feature if not present, could still be achieved by abusing other capabilities that exist in the vs code ecosystem) | |
| ▲ | direwolf20 5 hours ago | parent | prev | next [-] | | Makefiles etc. Many types of projects use arbitrary setup and build commands or can load arbitrary plugins, and unlike VS which imposes its own project format, VSC tries to be compatible with everything that people already use. Git hooks are another one. | | |
| ▲ | andy_ppp 3 hours ago | parent [-] | | Please see the reply to the other comment, obviously I wasn’t explicit enough in explaining I’m talking about code execution simply by opening a directory. | | |
| ▲ | direwolf20 3 hours ago | parent [-] | | Some project types, such as Gradle or Maven projects, use arbitrary commands or plugins in project setup. You have to run arbitrary plugins to know which directories are the source directories, and you have to know which directories are the source directories to do anything in Java. | | |
|
| |
| ▲ | embedding-shape 3 hours ago | parent | prev [-] | | Programming projects frequently feature scripts for building and packaging said projects, those have to be run somehow. Bundling running those into the editor seems like the mad part to me, but I've missed the whole VSCode train so probably something I'm missing. | | |
| ▲ | andy_ppp 3 hours ago | parent [-] | | The grand parent is talking about code execution can happen by just opening the directory, you’re imagining like I did (and the grandparent) that you have to run or execute something in VSC to get that to happen and I’m asking about what features could possibly require this to happen. Obviously running tests or a make file everyone understands clearly you’re executing other people’s code. | | |
| ▲ | arzig 3 hours ago | parent [-] | | It’s not even running tests. Test extensions usually have to run something to even populate the tests panel in my first place and provide the ability to run à la carte. Thus opening a folder will cause the test collector binary to run. | | |
| ▲ | andy_ppp 2 hours ago | parent [-] | | They could ask and/or parse the tests for the information rather than run them to output it. I’m honestly still not seeing a killer feature here that makes the security implications worth it! |
|
|
|
| |
| ▲ | 5 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | duskdozer 5 hours ago | parent | prev | next [-] | | The message isn't very clear on what exactly is allowed to happen. Just intuitively, I wouldn't have expected simply opening a folder would "automatically execute tasks" because that's strange to me | | |
| ▲ | echoangle 4 hours ago | parent [-] | | https://code.visualstudio.com/docs/editing/workspaces/worksp... It is very clear, the first sentence it that it may automatically execute code. | | |
| ▲ | duskdozer 4 hours ago | parent | next [-] | | >Code provides features that may automatically execute files... What features? What files? "may"? So will it actually happen or is it just "well it possibly could"? I've used it to open folders that I personally made and which don't have any tasks or files that get automatically executed, and yet the message pops up anyway. It's like having an antivirus program that unconditionally flags every file as "this file may contain a virus" | | |
| ▲ | echoangle 3 hours ago | parent | next [-] | | > What features? What files? "may"? So will it actually happen or is it just "well it possibly could"? How is code supposed to know? It probably depends on the plugins you installed. > It's like having an antivirus program that unconditionally flags every file as "this file may contain a virus" No, it’s like if your OS asks if you want to actually run the program you’re about to before running it the first time.
And it gives you the alternative to run it in a sandbox (which is equivalent to what happens when you don’t trust the workspace, then it still opens but in restricted mode) | |
| ▲ | rcxdude 3 hours ago | parent | prev [-] | | Yeah, because there are a lot of mechanisms by which a folder may start to execute code when you open it outside of restricted mode. A large fraction of addons have something which could be used for this, for example. There isn't a general check that it can apply ahead of time for this. (They could, with some breaking changes, maybe try to enforce a permissions system for the matrix of addons and folders, where it would ask for permission when an addon does actually try to run something, but this would result in a lot of permission requests for most repos) |
| |
| ▲ | abecedarius 2 hours ago | parent | prev [-] | | Thing is, when you open a webpage it's clear that it may automatically execute code (Javascript, WebAssembly). What needs to be clear (and by default limited) is the authority of that code. |
|
| |
| ▲ | javcasas an hour ago | parent | prev | next [-] | | autorun.inf flashbacks. | |
| ▲ | sroussey 6 hours ago | parent | prev | next [-] | | This is when I say no. Then copy-paste my default .dev-container directory and reload. | |
| ▲ | windowpains 2 hours ago | parent | prev [-] | | I’ve always defaulted to no. |
|
