terminal: Disable read all by default

[dileepyavan]

Summary

• Add allowRead filesystem sandbox settings for Linux and macOS so specific paths can be re-allowed inside denied read regions.
• Default sandbox read denial to the user home while deriving default read allowances from configured allowRead, common developer tool paths, VS Code data/runtime paths, and write-allowed paths.
• Add a shared terminal sandbox read allow-list for common Git, Node.js, and development tooling paths.
• Update terminal sandbox tests to cover the new default deny/read-allow behavior.
• Use tree sitter parser for parsing bash commands and updating the sandboxruntime config per command execution.
  For testing: https://builds.code.visualstudio.com/builds/insider?commit=bd9e94a3d725475dce55f422e21913dc212ceed8&dev=true
  fixes [Terminal_ Sandbox]: Do not allow reading arbitrary paths inside the $HOME folder #312191

[github-actions]

Screenshot Changes

Base: 490e64db Current: b452e8d6

Changed (1)

editor/inlineCompletions/other/JumpToHint/Dark

Before	After

[Copilot]

Pull request overview

Adds support for a filesystem read allow-list to the terminal sandbox configuration (Linux/macOS), aiming to default-deny reads from the user home while re-allowing common developer/tooling paths and configured exceptions.

Changes:

• Introduces allowRead to the Linux/macOS filesystem sandbox settings schema and runtime config type.
• Generates sandbox config with default denyRead (home) plus derived allowRead from configured allow-list, workspace folders, write-allowed paths, VS Code runtime/data paths, and a shared tooling allow-list.
• Adds a shared terminal sandbox read allow-list module and updates tests for the new deny/read-allow behavior.

Show a summary per file

File	Description
src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/browser/terminalSandboxService.test.ts	Updates/extends tests to validate new deny-home + allowRead derivation behavior (currently Linux-only).
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts	Implements allowRead generation, home-deny defaults, allow-list integration, and path expansion logic.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxReadAllowList.ts	Adds shared read allow-list groups for Git/Node/common dev tooling paths.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandbox.ts	Extends local runtime config type with filesystem.allowRead.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalChatAgentToolsConfiguration.ts	Adds allowRead to Linux/macOS configuration schema defaults and docs.
extensions/copilot/.vscode/settings.json	Enables chat.agent.sandbox.enabled in the Copilot extension workspace settings.

Copilot's findings

Comments suppressed due to low confidence (2)

src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts:532

• On macOS, the generated filesystem paths are not normalized/expanded (eg ~ is left intact): macAllowWrite, macDenyRead, macAllowRead, and denyWrite are passed through without _expandHomePath, but the allow-list (getTerminalSandboxReadAllowList) and default write paths contain many ~/* entries. Unless the sandbox runtime expands ~ itself, this will make the macOS allow/deny lists ineffective. Consider applying the same home expansion for macOS (and for all filesystem arrays), and add coverage to ensure the written config contains absolute paths.

			const linuxAllowWrite = this._resolveLinuxFileSystemPaths(this._updateAllowWritePathsWithWorkspaceFolders(linuxFileSystemSetting.allowWrite));
			const macAllowWrite = this._updateAllowWritePathsWithWorkspaceFolders(macFileSystemSetting.allowWrite);
			const linuxDenyRead = this._resolveLinuxFileSystemPaths(this._updateDenyReadPathsWithHome(linuxFileSystemSetting.denyRead));
			const macDenyRead = this._updateDenyReadPathsWithHome(macFileSystemSetting.denyRead);
			const linuxAllowRead = this._resolveLinuxFileSystemPaths(this._updateAllowReadPathsWithAllowWrite(linuxFileSystemSetting.allowRead, linuxAllowWrite));
			const macAllowRead = this._updateAllowReadPathsWithAllowWrite(macFileSystemSetting.allowRead, macAllowWrite);
			const linuxDenyWrite = this._resolveLinuxFileSystemPaths(linuxFileSystemSetting.denyWrite);

			const sandboxSettings = {
				network: {
					allowedDomains: allowedDomainsSetting,
					deniedDomains: deniedDomainsSetting
				},
				filesystem: {
					denyRead: this._os === OperatingSystem.Macintosh ? macDenyRead : linuxDenyRead,
					allowRead: this._os === OperatingSystem.Macintosh ? macAllowRead : linuxAllowRead,
					allowWrite: this._os === OperatingSystem.Macintosh ? macAllowWrite : linuxAllowWrite,
					denyWrite: this._os === OperatingSystem.Macintosh ? macFileSystemSetting.denyWrite : linuxDenyWrite,
				},

src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts:664

• _getVSCodeDataReadPaths hardcodes ~/vscode-server-insiders and ~/.vscode-server-insiders. This seems build-variant specific and will miss stable (vscode-server) or other product variants. Consider deriving these names from this._productService.serverApplicationName (and including both dotted and non-dotted forms if needed) rather than hardcoding the insiders folder name.

	private _getVSCodeDataReadPaths(): string[] {
		const paths = ['~/vscode-server-insiders', '~/.vscode-server-insiders'];
		const userHome = this._getUserHomePath();
		if (userHome) {
			paths.push(this._pathJoin(userHome, this._productService.dataFolderName));
			if (this._productService.serverDataFolderName) {
				paths.push(this._pathJoin(userHome, this._productService.serverDataFolderName));
			}
		}
		return paths;

• Files reviewed: 6/6 changed files
• Comments generated: 3