Skip to content
Permalink
Browse files Browse the repository at this point in the history
(fix) make runtime/ls-path configurable in user settings only
Due to security reasons: If this could be set in the workspace, a malicious workspace could point this to an arbitrary executable.
  • Loading branch information
dummdidumm committed Mar 23, 2021
1 parent 42fded0 commit 5d7bf1f
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions packages/svelte-vscode/package.json
Expand Up @@ -49,14 +49,16 @@
"title": "Svelte",
"properties": {
"svelte.language-server.runtime": {
"scope": "application",
"type": "string",
"title": "Language Server Runtime",
"description": "- You normally don't need this - Path to the node executable to use to spawn the language server. This is useful when you depend on native modules such as node-sass as without this they will run in the context of vscode, meaning node version mismatch is likely."
"description": "- You normally don't need this - Path to the node executable to use to spawn the language server. This is useful when you depend on native modules such as node-sass as without this they will run in the context of vscode, meaning node version mismatch is likely. This setting can only be changed in user settings for security reasons."
},
"svelte.language-server.ls-path": {
"scope": "application",
"type": "string",
"title": "Language Server Path",
"description": "- You normally don't set this - Path to the language server executable. If you installed the \"svelte-language-server\" npm package, it's within there at \"bin/server.js\". Path can be either relative to your workspace root or absolute. Set this only if you want to use a custom version of the language server."
"description": "- You normally don't set this - Path to the language server executable. If you installed the \"svelte-language-server\" npm package, it's within there at \"bin/server.js\". Path can be either relative to your workspace root or absolute. Set this only if you want to use a custom version of the language server. This setting can only be changed in user settings for security reasons."
},
"svelte.language-server.port": {
"type": "number",
Expand Down

6 comments on commit 5d7bf1f

@joelmukuthu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @dummdidumm, what's the recommended approach when one needs to configure svelte.language-server.ls-path for a team working on the same project/workspace?

@dummdidumm
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everyone needs to configure it themselves, due to security reasons there is no other way

@joelmukuthu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks for answering :)

@joelmukuthu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi again @dummdidumm. Now that there's a workspace trust feature, is it possible to allow this setting to be configurable via workspace settings if workspace trust has been enabled?

@dummdidumm
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question, I think that would make sense. I'll add that to #1051

@joelmukuthu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks for the quick response!

Please sign in to comment.