-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tweak settings to prevent accidental execution of code from within a workspace #7805
Comments
One thing to figure out is how to handle |
As a team we use a workspace relative path in |
@obambrough we expect to continue to automatically detect virtual environments. We would also store what environment you choose in VS Code's internal storage so it's a one-time setting. Also realize some people hate that we always set |
@brettcannon I thought the proposed change of storing settings in internal storage was an optional feature (either opt in or opt out), giving users the ability to continue using |
@DonJayamanne it's not fully spec'ed yet so I would prefer to not get into a discussion right now about this until that has occurred. |
FWIW, not setting |
I mentioned this in #12313, but I figured I would also bring it up here for discussion. Regardless of the possible merits or demerits of the proposed changes, there is a real, irrefutable cost to enacting the proposed changes. With regard to this specific issue, I believe getting user certification of to-be-used paths the first time they are encountered by the extension (per workspace) would be easier to implement and lower cost to both the project and users. Is there any reason such a solution would not be sufficient in addressing this issue? |
The problem is that the current behaviour of the extension is to store the path of the selected interpreter for a workspace in the However, as mentioned in #12313 (comment), we may have a solution to keep the python.pythonPath setting in an opt-in way while addressing security concerns. |
I'm hitting this issue. I have a project I use on MacOS / Ubuntu and trying to get windows to work with it leads to an automatic change in settings.json file to use the windows path. Here's my diff: This is the setting: Which get's changed to ..when I select the python interpreter to enable debugging. I want to propose a fix that should be simple and avoid the complicated architecture change. Proposal 1: Still have the path change as it's currently doing, but add a check which only changes the path if and only if the absolute windows path is not equivalent to the absolute windows interpretation of the path which is currently set. In python this would look like:
Proposal 2: Add an optional windows specific python path. For example, In either of these cases the bug would effectively go away for me. |
like @obambrough said, the Python interpreter is required to be workspace dependent - it does not make any sense to change the interpreter to be user dependent with this experiment. A developer has multiple Python interpreters installed and the workspace defines which one is taken. |
@brettcannon, in my humble opinion, the In our team, for instance, we rely on "Remote - Containers" to obtain a fully-reproducible development environment among the members, and this setting comes handy (i.e., because the path is always the same according to the
Is there any place where I can share this comment as a feedback so that this is also taken into account when deciding on the long-term plans? Perhaps one of #2125 or #12313? Cc: @baboune |
@aytekinar we have a solution that covers your issue. We are hoping to release it in 1 to 2 releases from now. |
@brettcannon, my comment may be moot, so if there is some place I can read about what you already have planned, I would love to. I like the way VSCode handles the same issue for typescript, and I wish there were an equivalent of |
We are starting to roll out the experiment and we plan to write a better explanation in another issue, but what we are doing is: So people who don't want their git repos accidentally ending up with a machine-specific path can avoid it while people who generate their settings will be able to still do that. |
…Code changes See: microsoft/vscode-python#2125 microsoft/vscode-python#12313 (comment) microsoft/vscode-python#7805 https://github.com/microsoft/vscode-python/wiki/AB-Experiments/0c052a89db9a175b5ec0942e9fcf687fd87af323 Doing it on the right branch this time!
We have rolled out the changes (see the announcement). Workspace trust also gives proper protections from not accidentally running code in an untrusted code base. |
Thank you, @brettcannon, and the team for handling this in a nice and clean way. I have already been using the new |
We want to prevent the chance of someone opening a fresh workspace on a repository to explore the code and then accidentally triggering the execution of code from within that repository. This is possible if you specify certain settings in a certain way, e.g.:
python.pythonPath
python.linting.pylintPath
python.formatting.blackPath
python.testing.pytestPath
The expected solution to all of this is:
By requiring a user action to set the Python path to e.g. an virtual environment within the workspace it forces the user to choose to trust that interpreter. And by only running paths to tools as specified at the user level then it doesn't allow a repository to override that location.
The text was updated successfully, but these errors were encountered: