-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support another settings scope for safe per-project configuration #103100
Comments
/duplicate This looks similar to local workspace settings - #40233 |
Local workspace settings are still inside the workspace which is a problem security wise, as user can clone a malicious repo containing that setting. I think the ask is to provide a place outside of the workspace. |
It was just one of the proposals. There are also other proposals to have local workspace settings outside workspace. |
The thread got so long that it's hard to locate what's the current status of the bug. I supposed this is the one currently under discussion & implementation. Glad to see the proposal look quite similar to one of the ideas brought up in our team discussion, and see the configuration get stored outside workspace. Maybe worth mention the security consideration explicitly in the proposal? A couple of details I want the proposal to add: Either
Re 1) Something similar to the Re 2) The current Extension authors may call |
Thinking further - I wonder if vscode can prevent loading settings from the workspace in the default mode, and ask users to review the settings from the workspace and explicitly opt in to apply them. Sharing the settings through the files checked in a remote repo comes with many goodies but also opens many doors for attackers. |
I recently learned about #106488 |
As discussed briefly in the "Settings and security" document, some settings are dangerous
to be set through the workspace settings - i.e. an attacker can influence an extension to run
arbitrary binaries by storing a workspace settings file formulated in a specific way and
convincing users to browse the repo with vscode.
Security concerns around the workspace settings were raised for various extensions
multiple times (e.g. vscode-python, etc).
One option to reduce such risks is to disallow workspace settings for those critical ones.
E.g. using the
machine
scope, or implementing a custom way to read only global settings.However, this completely prevents from project-specific settings, which is not desirable.
(e.g. I want to use a different version of a tool for a different project)
Another option is to use VSCode storage (e.g. move of python's pythonPath).
However, this comes with its own cost - each extension has to come up with its own
UI/UX solution so that users can easily browse and set those settings.
This is not ideal for consistent user experience across extensions and VS code itself.
Neither option is satisfactory. Can you consider another mode of settings that allows
per-project settings, but does not store the state as a file in the repo? The settings should
be still configurable through VS Code's awesome, user-friendly settings UI.
The text was updated successfully, but these errors were encountered: