1) git clone 2) add the cloned repo to the VSCode workspace.You can try for yourself! This innocuous PoC repo opens Calculator.app on macOS: Given that the industry-standard 90 days expired and the issue is exposed in a GitHub issue, we have decided to disclose the vulnerability.
We contacted Microsoft on the 2nd October 2019, however the vulnerability is still not patched at the time of writing. The behavior is not in VSCode core, but rather in the Python extension. In practice, it is possible to hide the virtualenv in any repository. If found in the cloned repo, this value is loaded and trusted without asking the user. Once a virtualenv is found, VSCode saves its path in. Adding a malicious folder to the workspace and opening a python file inside the project is sufficient to trigger the vulnerability. VSCode behaviour is dangerous since the virtualenv found in a project folder is activated without user interaction. This seemed sketchy, so I added os.exec("/Applications/Calculator.app") to one of pylint sources and a calculator spawned. Did VSCode just automatically select the Python environment from the project folder?! To confirm my hypothesis, I installed pylint inside that virtualenv and the warning disappeared. Then I noticed venv-test displayed on the lower-left of the editor window. To my surprise, after running pip install -user pylint the warning was still there. Some time ago I was reviewing a client’s Python web application when I noticed a warningįair enough, I thought, I just need to install pylint.
Your browser does not support the video tag. It currently has 16.5M+ installs reported in the extension marketplace. This is the story of how I stumbled upon a code execution vulnerability in the Visual Studio Code Python extension. Don't Clone That Repo: Visual Studio Code^2 Execution - Posted by Filippo Cremonese
0 kommentar(er)
