-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] OS-level readwrite sandboxing for filesystem readwrites #180233
Comments
This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 20 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation. Happy Coding! |
This feature request has not yet received the 20 community upvotes it takes to make to our backlog. 10 days to go. To learn more about how we handle feature requests, please see our documentation. Happy Coding! |
Added a proposed changeset now that this has 20 upvotes! 🥳🎉 please critique or add suggestions |
What about network access restrictions? |
Interesting. Do you have any user story or problem statement there? |
@zm-cttae yes, an extension could perform malicious actions using network calls:
|
We closed this issue because we don't plan to address it in the foreseeable future. If you disagree and feel that this issue is crucial: we are happy to listen and to reconsider. If you wonder what we are up to, please see our roadmap and issue reporting guidelines. Thanks for your understanding, and happy coding! |
Problem statement
This feature request is part of an "epic" suggestion in #52116 (comment)
This feature request also replaces (supersedes) #174715
Proposed solution
Implementation details
This will prevent extensions from modifying system files and other files with semi-locked or locked chmod permissions.
Changes would apply to
require("fs")
andvscode.workspace.fs
.That way we could officially use
/c/Program Files
or/usr/bin
with native APIs.Proposed changeset
vscode
API readwrite access outside VS Code specific folders.fs
readwrite access outside VS Code specific folders./c/Program*
or/usr/bin
(XDG programs) for file I/O ops.%USERPROFILE%/Documents
or~/documents
(XDG documents) for file I/O ops.%ALLUSERSPROFILE%
or~/public
(XDG publicshare) for file I/O ops.%PATH%
files and temporary files directory.The text was updated successfully, but these errors were encountered: