Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify in UI if extensions run code #162944

Closed
isidorn opened this issue Oct 7, 2022 · 7 comments
Closed

Clarify in UI if extensions run code #162944

isidorn opened this issue Oct 7, 2022 · 7 comments
Assignees
Labels
extensions Issues concerning extensions *out-of-scope Posted issue is not in scope of VS Code under-discussion Issue is under discussion for relevance, priority, approach
Milestone

Comments

@isidorn
Copy link
Contributor

isidorn commented Oct 7, 2022

Currently there is no difference in the extension UI if an extension is running code or has no code - like themes.
Also I believe that most of our users are unaware that extensions that they install can execute any code they want.
I think we should:

  • Make it more transparent that extensions with code can execute any code they want. The message should be informative but not scary.
  • Make it obvious extensions like themes do not run code and thus are "safe"
  • If an extension that has no code updates to a version that introduces code we should show a model dialog to the user to ask them if they want to apply the update. The wording of the dialog should be geared towards not allowing the update.

fyi @daviddossett @alexdima

@isidorn isidorn added extensions Issues concerning extensions under-discussion Issue is under discussion for relevance, priority, approach labels Oct 7, 2022
@daviddossett
Copy link
Contributor

Probably also needs to be considered alongside #151599 if we're surfacing this in the list view. Otherwise we can think about how this might be surface on the detail and marketplace pages.

@isidorn
Copy link
Contributor Author

isidorn commented Oct 10, 2022

@daviddossett I would not put this in the list view but only in the extension details page. That page has details that users can look at before installing an extension, and I feel like that is the right spot for this.

@sandy081
Copy link
Member

May I know the root cause that is driving this?

@isidorn
Copy link
Contributor Author

isidorn commented Oct 14, 2022

@sandy081 lot's of security features are about preventing something, there is no cause other than making VS Code secure and trustworthy.
What we want to prevent is the following:

  1. Malicious actor publishes a nice theme extension on the marketplace
  2. everybody install the theme seeing as it has no code they can trust this extension
  3. Malicious actor updates the theme extension to contain malicious code
  4. Everybody gets auto updated 💣

@sandy081
Copy link
Member

Wondering any extension that a malicious author publishes has the same security concerns even if the extension had code or not before?

CC @alexdima

@isidorn
Copy link
Contributor Author

isidorn commented Oct 20, 2022

@sandy081 I actually pinged Alex Dima on the first comment because this is his idea :) I should have mentioned that - sorry.

@isidorn isidorn added this to the Backlog milestone Dec 5, 2022
@isidorn isidorn added the *out-of-scope Posted issue is not in scope of VS Code label Dec 6, 2022
@vscodenpa
Copy link

We closed this issue because we don't plan to address it in the foreseeable future. If you disagree and feel that this issue is crucial: we are happy to listen and to reconsider.

If you wonder what we are up to, please see our roadmap and issue reporting guidelines.

Thanks for your understanding, and happy coding!

@vscodenpa vscodenpa closed this as not planned Won't fix, can't repro, duplicate, stale Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
extensions Issues concerning extensions *out-of-scope Posted issue is not in scope of VS Code under-discussion Issue is under discussion for relevance, priority, approach
Projects
None yet
Development

No branches or pull requests

4 participants