A direct <host>:<port> remote authority (no resolver + prefix) bypasses
resolver extensions and connects straight to the given server. Since this form
can originate from untrusted sources (e.g. the remoteAuthority of a
.code-workspace file), a crafted workspace could silently point the window's
extension host backend at an attacker-controlled server.
Fix:
Centralize a confirmation prompt at the connection point in the renderer:
when resolving a direct authority whose host is not loopback (localhost,
127.0.0.1, ::1), ask the user to confirm before connecting and abort if
declined. Add isLoopbackHost helper and tests.
Patches
The fix is available starting with VS Code 1.123.1. Commit details: 9673132
A direct
<host>:<port>remote authority (no resolver+prefix) bypassesresolver extensions and connects straight to the given server. Since this form
can originate from untrusted sources (e.g. the
remoteAuthorityof a.code-workspacefile), a crafted workspace could silently point the window'sextension host backend at an attacker-controlled server.
Fix:
Centralize a confirmation prompt at the connection point in the renderer:
when resolving a direct authority whose host is not loopback (localhost,
127.0.0.1, ::1), ask the user to confirm before connecting and abort if
declined. Add
isLoopbackHosthelper and tests.Patches
The fix is available starting with VS Code 1.123.1. Commit details: 9673132