Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Normalize webview resources when checking roots #163326

Closed
mjbvz opened this issue Oct 11, 2022 · 3 comments · Fixed by #163327
Closed

Normalize webview resources when checking roots #163326

mjbvz opened this issue Oct 11, 2022 · 3 comments · Fixed by #163327
Assignees
@mjbvz
Labels
insiders-released Patch has been released in VS Code Insiders security webview Webview issues
Milestone
September 2022 Re...

Comments

@mjbvz
Copy link
Collaborator

mjbvz commented Oct 11, 2022
edited
Loading

VS Code - Information Disclosure Vulnerability

An information disclosure vulnerability exists in VS Code 1.71 and earlier versions. If an attacker is able to run arbitrary scripts inside of a webview (either created by extension or by core VS Code), the attacker could bypass the local resource roots check to read arbitrary files on the user's system

Patches

The fix is available starting with VS Code 1.71.1. The fix mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.

Workarounds

Only use webviews from extensions that follow proper security measures to block script injection

Do not disable VS Code's default security measures in the built-in markdown preview

References
@mjbvz mjbvz added the webview Webview issues label Oct 11, 2022
@mjbvz mjbvz added this to the October 2022 milestone Oct 11, 2022
@mjbvz mjbvz self-assigned this Oct 11, 2022
@mjbvz mjbvz added the security label Oct 11, 2022
@mjbvz mjbvz mentioned this issue Oct 11, 2022
Merged
@vscodenpa vscodenpa added unreleased Patch has not yet been released in VS Code Insiders insiders-released Patch has been released in VS Code Insiders and removed unreleased Patch has not yet been released in VS Code Insiders labels Oct 11, 2022
@DeeDeeG

This comment was marked as outdated.

Sign in to view
@mjbvz

This comment was marked as outdated.

Sign in to view
@gjsjohnmurray
Copy link
Contributor

Should the references to 1.71 in fact be 1.72?

@github-actions github-actions bot locked and limited conversation to collaborators Nov 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mjbvz mjbvz

Labels
insiders-released Patch has been released in VS Code Insiders security webview Webview issues
Projects
None yet
Milestone
September 2022 Recovery 1
Development

Successfully merging a pull request may close this issue.

Normalize resources when checking valid roots mjbvz/vscode
4 participants
@gjsjohnmurray @mjbvz @DeeDeeG @vscodenpa