-
Notifications
You must be signed in to change notification settings - Fork 29.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore notebook trust + workspace trust #118584
Comments
Let us know if there's anything you need. Thanks |
First, what are we trying to do by observing workspace trust?
|
There are currently 2 thought models on workspace trust and explicit actions.
At present, one is not chosen over the other, but hopefully this scopes the discussion. |
|
Renderer code can send messages outside of the webview which gives it a potential real impact, but still it seems like the responsibility is on the renderer - if it's going to send a message which could result in a bad impact based on data in the output, it should check workspace trust. |
Ideally those messages go straight to the extension host and aren't rerouted via the renderer. I believe there was some exploration to use message channels that enables that. |
@lszomoru for awareness |
Talked to @sbatten, the current plan is that for explicit user actions like debugging or running a command that requires trust, a dialog will show asking the user to "continue" and trust the workspace, or "cancel" and not trust it. For notebooks, we can hook into the same system to show a dialog when you first run a cell. You could argue that the extension should be involved in this rather than vscode enforcing it, because trust doesn't matter for some notebooks. For example, I don't care about running a github issues query from an untrusted workspace. But most notebooks are not like that, and this is so similar to debugging, and it will be much simpler to have vscode handle it in the same way. Then also, given the discussion above, I think that we should not automatically block outputs/renderers from loading in an untrusted workspace. The extension can require workspace trust if it is necessary for that extension (like if it is loading and executing code in the workspace) and it's the responsibility of the extension to determine that. cc @connor4312 and @DonJayamanne do you think that's acceptable? |
@roblourens Thanks this makes a lot of sense, and from what I can tell, there's no need to implement a custom trust model in Jupyter extension.
I guess the only question for Jupyter extension is whether we display the output or not (when not trusted). |
VS Code will handle this part of it, the extension doesn't have to do it.
Yes, and we can discuss this more. I'm not sure there is really any need to do anything with output renderers but it probably needs more thinking. |
👍 for allowing renderers through. We just need to be aware that any of the |
Sounds like a kernel property to me, like a kernel can say if it requires trust |
@roblourens Hi Rob, right now the Jupyter extension prompts the user to trust a notebook if not created on the user's machine (ex. they download it). What happens in this scenario where a user opens a stand-alone notebook where it did not come from a trusted workspace? (ex. opened from downloads folder) |
@sbatten how does trust work in a window that doesn't have a folder open? Or for files that are not in the current workspace? |
Current implementation is that empty workspaces (no folder) are trusted by default. However, opening files in an empty workspace will be treated as the "loose file" scenario. If the loose file is not from a known trusted path, we prompt the user once to inform them that they are bringing untrusted content into a trusted workspace. From then on, any additional untrusted content will not receive a prompt for the remainder of the session. |
Command links in outputs and markdown cells could pose a threat in untrusted workspaces. We implemented this in #98100. Is the Jupyter extension still relying on these in outputs and markdown cells? We'd like to think about removing them since they are a vscode-only feature. Or, we have to either
|
Yes.
I'd think this is preferred.
If we can have this, that's even better, but can we guarantee that this will not be open to exploits in some form? |
|
@roblourens looks like there's a lot going on here. Can you write some verification steps, please? |
|
I've verified almost all of the points above except for the last one. |
@rzhao271 you can try it with a restbook ... tanhakabir/rest-book#90 (comment) |
@roblourens why should not I see previously generated rich html output in a loaded notebook? I think you are taking this 'untrusted' workspaces a bit too far. If I had a renderer that generated a chart as a cell output and saved it. Are you saying I should not be able to see it with your notion of an untrusted workspace? I most certainly disagree with you and your teams decisions on this. |
Custom renderers should still work in an untrusted workspace. HTML outputs don't. Even though they are "sandboxed" in an iframe, the iframe has special privileges such that we believe it isn't safe to run explicitly untrusted scripts in it. In the html output case, this is untrusted content from the document, not from an extension. |
I believe Google collab and jupyter run something that scrapes out javascript from any html outputs by default. Might we be able to do something similar? |
I don't see why we would show a possibly broken output. And I don't really trust any html parsing code I write for security purposes. There might be a fallback output mimetype. |
Wouldn't custom renderers be the same thing? The data is json that drives the custom renderer. It could potentially be a security risk too? |
I think the only truly safe output would be text/plain. Although I still think you could remove script tags pretty easy. Everything else is potentially running code on the output. |
close, but I think you should still show built-in html render and render it. not sure I like the stripping out of js idea either. do it if you must. Those cell outputs run in an iframe in a notebook webview and is already sandboxed with CSP and rest that comes with it. what attack vectors are you trying to prevent there? Sounds like premature optimization to me at this point until we have some more rich output renders to play with and finalize this. |
@connor4312 this regressed in d6d9200#diff-54b1e3297f88bd6925ca5fe088edaf93b8aa1832936da6350d69fec68375504eL54 where we pick mimetype 0, even if it's not trusted. I don't quite follow, can you take a look? |
Thanks @connor4312. @rchiodo it's the difference between html that comes from workspace content and html that comes from extensions. @RandomFractals an example is that html outputs can have links that trigger vscode commands |
ok. I did likes and dislikes on this feature implementation, ideas, and proposed approaches with my thumbs up and down. Please view them as agree or disagree. Thanks! |
The json in the outputs that drives the html from the renderer can be anything though. And the renderer could theoretically be doing anything possible in a renderer (like say sending messages back to the extension to run a cell). That's why I think any json (read by a renderer, or causes code execution) in an untrusted notebook should be deemed malicious. |
Continuing the discussion from #106747
The text was updated successfully, but these errors were encountered: