-
Notifications
You must be signed in to change notification settings - Fork 28.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Important control characters aren't rendered when "editor.renderControlCharacters" is set, possibly leading users astray #116939
Comments
Duplicate of #58252 There are some extension suggestions in #58252 (comment) you can give a try. |
I don't think this is a duplicate. That issue is about invisible characters, which are different than control characters. For example, a nonbreaking space (U+00A0) is an invisible character but not a control character. It is in Unicode category This issue is specifically about the issue that VS Code has a setting called "render control characters" which does not render control characters; it fails to render the |
@alexdima Right now this is classified as a |
The code has been written in mind with "Control Characters" meaning "ASCII Control Characters". So the code itself does not have a bug. It renders ASCII Control Characters correctly using the special Control Pictures characters i.e. https://www.unicode.org/charts/PDF/U2400.pdf I think you have written a very good and convincing issue, and I agree with you that this is super deceiving. But IMHO the issue is about expanding the initial definition of Control Characters to contain more than ASCII Control Characters, possibly all Unicode Control Characters. So that's why I marked the issue as a feature request, because it is something somewhat new that must be implemented. |
I will present here a more convincing argument to why this feature request should be implemented. #! /usr/bin/env python3
# POC Exploit for https://github.com/microsoft/vscode/issues/116939
import string
DOMAIN_NAME_CHARS = string.ascii_lowercase + string.digits + '-.'
def download_and_execute_code(trusted_host: str):
# a crude domain name character filter to prevent injection attacks
host_badchar_filtered = ''.join((c for c in trusted_host if c in DOMAIN_NAME_CHARS))
url = 'https://{}/trusted_installer.py'.format(host_badchar_filtered)
print('Downloading from {}'.format(url))
# The rest is left as an exercise for the reader
# Hint: Use the `exec` builtin: https://docs.python.org/3/library/functions.html#exec
# as well as the `requests` library: https://docs.python-requests.org/en/master/
# Example using Google. Note this is a demo and the requested file doesn't actually exist on Google servers
# Benign code
# download_and_execute_code('www.google.com')
# EVIL code
download_and_execute_code('www.gooelg.com') The second line (EVIL code) looks identical to the "Benign code" above, but makes the script download from
If the code is executed the attacker in control of As of the time of writing the domain is available: This demonstrates how easy someone can carry out this attack. |
…rendering control characters. Also turn on `editor.renderControlCharacters` by default.
Issue Type: Bug
Problem
Imagine you're looking at some code in VS Code:
Ostensibly, this transfers 6,776 USD from sender 5678 to recipient 1234. Right?
Unfortunately, no. Instead, this code hides malicious intent: it actually transfers 4,321 USD from sender 5678 to recipient 6776, stealing sender 5678's money. How is this possible?
Explanation
It's because this code is hiding two special Unicode control characters: U+202E ("right-to-left override") and U+202C ("pop directional formatting"). With explicit insertions, it looks like this:
In other words, this gives the code the visual appearance of sending 6776 USD to recipient 1234, but that's not what the actual underlying text says; it says to transfer 4,321 USD to recipient 6776. Our editor — what we trust to show us text correctly — has led us into the wrong conclusion.
We can see that the actual bytes of the string in the code example do indeed have these control characters:
Normally the way around this sort of sneakiness is to use
View > Show Control Characters
. But if you copy the string from the example into VS Code, you won't see these control characters. They aren't rendered at all. How can we make sure these special characters get rendered?Likely root cause
The bug is in
src/vs/editor/common/viewLayout/viewLineRenderer.ts
: it assumes a definition of "control character" that amounts to "anything whose character code as determined byString.charCodeAt
is in the range U+0000⋯U+001F".https://github.com/microsoft/vscode/blob/main/src/vs/editor/common/viewLayout/viewLineRenderer.ts#L960-L961
That assumption is incorrect, or at least too narrow to cover this case.
A possible fix
The right definition for control character for purposes of VS Code is probably, at a minimum, "anything in the
Cc
andCf
Unicode general categories", and not the current definition.VS Code version: VSCodium 1.52.1 (ea3859d, 2020-12-17T00:37:39.556Z)
OS version: Linux x64 5.8.0-7642-generic
System Info
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
oop_rasterization: disabled_off
opengl: enabled_on
protected_video_decode: unavailable_off
rasterization: disabled_software
skia_renderer: enabled_on
video_decode: unavailable_off
vulkan: disabled_off
webgl: enabled
webgl2: enabled
Extensions (13)
(1 theme extensions excluded)
The text was updated successfully, but these errors were encountered: