[Bug] Incomplete Sanitization in conversationFeature.ts: Double-Escaping Bug Allows Shell Argument Injection in Git Commit Message

[programsurf]

BUG DESCRIPTION

Summary

The Copilot extension's conversationFeature.ts sanitizes a generated commit message before embedding it in a git commit -m "..." shell command, but applies the double-quote escape before the backslash escape; this ordering bug causes " characters to become \\" in the final shell string, which a shell parser interprets as an escaped backslash followed by a closing quote, splitting the -m argument and enabling shell argument injection. This finding is tagged known-accepted by the project team (inline CodeQL suppression [SM02383] Backslashes are escaped as part of the second replace). Reporting for awareness and potential hardening.

Details

Affected file: extensions/copilot/src/extension/conversation/vscode-node/conversationFeature.ts
Line: 251
Commit: 39e6e45

The sanitization at line 251 applies replace(/"/g, '\\"') first, then replace(/\\/g, '\\\\'). Step 2 re-escapes the \ introduced by step 1, turning \" into \\". In a double-quoted shell string, \\" means an escaped backslash followed by a closing quote, so the message argument closes early and the remaining content becomes additional shell tokens.

Proof of Concept

node poc.js

The PoC replicates the two-step sanitization, constructs the resulting shell command string, and uses a minimal shell-argument parser to verify that a commit message containing " produces more than four shell tokens, confirming argument splitting.

reproduce.zip

Impact

An attacker who can influence a repository such that Copilot generates a commit message containing " characters could inject additional shell arguments into the git commit command sent to the user's VS Code terminal. Exploitation requires user interaction and local access context. Impact is limited to the user's local terminal session.

STEPS TO REPRODUCE

1. Clone Visual Studio Code at commit 39e6e45
2. Navigate to extensions/copilot/src/extension/conversation/vscode-node/conversationFeature.ts
3. Observe line 251: commitMessage.replace(/"/g, '\\"').replace(/\\/g, '\\\\')
4. Provide a commit message containing " (e.g., test" --flag injected): step 1 yields test\", step 2 re-escapes \ to \\, yielding test\\".
5. The shell command git commit -m "test\\"--flag injected" is parsed as more than four arguments, confirming injection.

SECURITY IMPACT

Product: Visual Studio Code
Version: 1.121.0
Component: extensions/copilot (Copilot extension — conversationFeature)

[rwoll]

Thank you for your report! The team will take a look. Please file this and any security bugs in compliance with our SECURITY.md so they are triaged, tracked, and disclosed according to internal Microsoft processes.

[programsurf]

Thanks @rwoll. To clarify the routing — the public-issue choice was deliberate, not an oversight.

I read SECURITY.md before filing and landed the impact at local terminal, user-interaction-required, no escalation, no exfiltration, on top of a call site that already carries a known-accepted CodeQL suppression. That reads as a hardening item rather than a vulnerability under most vendor policies I've worked with, and routing every incomplete-sanitization note of this tier through a security channel tends to drown vendor triage in low-signal traffic — usually teams reserve that pipeline for findings that actually move the impact needle.

That said, if your policy genuinely intends to capture this severity tier through SECURITY.md, I'll happily align on future reports. Just flagging that the scope of "any security bugs" can scale into a fair amount of noise if read literally — wanted to confirm that's the volume the team is sizing for before adjusting.