Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tweak settings to prevent accidental execution of code from within a workspace #7805

Open
brettcannon opened this issue Oct 7, 2019 · 5 comments

Comments

@brettcannon
Copy link
Member

@brettcannon brettcannon commented Oct 7, 2019

We want to prevent the chance of someone opening a fresh workspace on a repository to explore the code and then accidentally triggering the execution of code from within that repository. This is possible if you specify certain settings in a certain way, e.g.:

  • python.pythonPath
  • python.linting.pylintPath
  • python.formatting.blackPath
  • python.testing.pytestPath

The expected solution to all of this is:

  • Store a workspace's Python path internally and require the user to select a path/virtual environment manually if it exists within the workspace (#2125)
  • Make tool paths be user-only, so that installation into an environment still works, but can be overridden only system-wide

By requiring a user action to set the Python path to e.g. an virtual environment within the workspace it forces the user to choose to trust that interpreter. And by only running paths to tools as specified at the user level then it doesn't allow a repository to override that location.

@brettcannon

This comment has been minimized.

Copy link
Member Author

@brettcannon brettcannon commented Oct 7, 2019

One thing to figure out is how to handle python -m unittest and if someone specifies a unittest.py in the workspace (this also includes having to worry about .pth). We might need to get sys.path from the selected Python interpreter, do a search for the relevant tools that would get picked up by -m, and not use it if it lands in the workspace or at least warn about it before using it.

@obambrough

This comment has been minimized.

Copy link

@obambrough obambrough commented Nov 20, 2019

As a team we use a workspace relative path in python.pythonPath so that we can open any of our workspaces and run with the correct Python interpreter for that project, without any further configuration by any team member. That's one of the primary benefits of VS Code over Intellij, how simple it has been to share our configuration. It seems like you'll be taking away this very convenient feature.

@brettcannon

This comment has been minimized.

Copy link
Member Author

@brettcannon brettcannon commented Nov 20, 2019

@obambrough we expect to continue to automatically detect virtual environments. We would also store what environment you choose in VS Code's internal storage so it's a one-time setting. Also realize some people hate that we always set "python.pythonPath" as it isn't OS-agnostic. So this is a can't-make-everyone-happy-all-the-time situations.

@DonJayamanne

This comment has been minimized.

Copy link

@DonJayamanne DonJayamanne commented Nov 20, 2019

@brettcannon I thought the proposed change of storing settings in internal storage was an optional feature (either opt in or opt out), giving users the ability to continue using python.pythonPath. I.e. @obambrough would be able to continue with python.pythonPath.

@brettcannon

This comment has been minimized.

Copy link
Member Author

@brettcannon brettcannon commented Nov 20, 2019

@DonJayamanne it's not fully spec'ed yet so I would prefer to not get into a discussion right now about this until that has occurred.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.