Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

localResourceRoots should accept only URIs with the file scheme #135361

Closed
tamuratak opened this issue Oct 19, 2021 · 3 comments
Closed

localResourceRoots should accept only URIs with the file scheme #135361

tamuratak opened this issue Oct 19, 2021 · 3 comments
Assignees
@mjbvz
Labels
bug Issue identified by VS Code Team member as probable bug insiders-released Patch has been released in VS Code Insiders verified Verification succeeded webview Webview issues
Milestone
October 2021

Comments

@tamuratak
Copy link
Contributor

Version: 1.62.0-insider (Universal)
Commit: 729d816
Date: 2021-10-18T05:21:54.840Z
Electron: 13.5.1
Chrome: 91.0.4472.164
Node.js: 14.16.0
V8: 9.1.269.39-electron.0
OS: Darwin arm64 20.6.0

Misconfigured localResourceRoots leads to a serious issue. And, we can easily misconfigure it. localResourceRoots should accept only URIs with the file scheme.

Steps to Reproduce:

  1. Execute the sample code: https://github.com/tamuratak/vscode-extension-samples/tree/misconf_webview/webview-view-sample
  2. In the sample code, we set asWebviewUri(this._extensionUri) to localResourceRoots, instead of this._extensionUri. It is a misconfiguration.
  3. fetch inside the WebView View can access to /etc/bashrc.

CC: @mjbvz
@mjbvz mjbvz added the webview Webview issues label Oct 20, 2021
@mjbvz
Copy link
Contributor

mjbvz commented Oct 20, 2021
edited

Thanks! Taking a look.

Only allowing file is probably restrictive as we do need to support virtual and remote workspaces. However I'll see if we can catch the case where you pass in the results of asWebviewUri

@mjbvz mjbvz added the bug Issue identified by VS Code Team member as probable bug label Oct 20, 2021
@mjbvz mjbvz added this to the October 2021 milestone Oct 20, 2021
@mjbvz mjbvz closed this as completed in d51d291 Oct 20, 2021
@mjbvz
Copy link
Contributor

mjbvz commented Oct 20, 2021

Ok I fixed the bug that would cause an asWebviewUri uri to mistakenly allow other uris to be loaded

Give it a try in the next insiders build and let me know if something still seems off

@tamuratak
Copy link
Contributor Author

I have confirmed that the issue is fixed. WebView View cannot access to /etc/bashrc.

@mjbvz mjbvz added z-author-verified verified Verification succeeded labels Oct 28, 2021
@angelozerr angelozerr mentioned this issue Nov 9, 2021
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Dec 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mjbvz mjbvz

Labels
bug Issue identified by VS Code Team member as probable bug insiders-released Patch has been released in VS Code Insiders verified Verification succeeded webview Webview issues
Projects
None yet
Milestone
October 2021
Development

No branches or pull requests
3 participants
@tamuratak @mjbvz and others