The security flaws we are going to examine are introduced via VS Code extensions that start web servers. In this post, we’re going to focus on a special attack case which allows malicious actors to compromise developers by exploiting vulnerabilities in local web servers being run - sometimes unknowingly - by installed extensions. Even simple things like environment variables usually contain important information: passwords for your proxy servers, tokens for CI/CD pipelines, and so on. Leaking a developer’s private key can allow a malicious stakeholder to clone important parts of the code base or even connect to production servers. But can a developer that installs an extension guarantee that they don’t contain a vulnerability that can jeopardize their codebase or application?ĭeveloper machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product. All these plugins are written by third-party maintainers and curated on dedicated marketplaces. Plugins and extensions are constantly getting installed to enhance the development process including code linting, deployment environment integration, file parsing, previewing, and more. That’s a huge attack surface.Īdditionally, IDEs are usually never left bare bones. Arguments in “” indicate what type of files will be deleted when we clean the project folder.According to Microsoft, VS Code currently has 14 million active users, making it the most popular IDE with around 50% of the developer market share. “.mand” and “.synctex.args” are to enable the jump back and forth function between pdf and the corresponding tex code. “.mand” and “.viewer.args” are to link the external pdfview to Skim.
0 kommentar(er)
