VS Code - Security Feature Bypass Vulnerability
A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.
Additionally, this vulnerability sparked a review of usage of the trusted domains feature which has only been used in the following:
- Deciding if the user should see confirmation before a URL should be opened externally in the user's browser
- Deciding if the user should see confirmation before a URL is fetched using the
#fetch tool in a Chat session
- Deciding if a remote image URL should be allowed to render in Chat
After consideration, we have removed the dependency on the trusted domains service for Chat-related features due to the expanded security consideration of Chat features over opening a URL in the browser. The new behavior for these 2 features is as followed:
#fetch tool confirmation: Confirmation is showed for each URL, regardless of domain, once per session... you also have the ability to auto-approve #fetch tool calls if you accept that risk- Remote image rendering in Chat: We no longer support remote image URL rendering in Chat
Patches
The fix is available starting with VS Code 1.100.1. The fix (7ffa080) mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Do not use Chat or open suspicious URLs.
References
VS Code - Security Feature Bypass Vulnerability
A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the
#fetchtool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.Additionally, this vulnerability sparked a review of usage of the trusted domains feature which has only been used in the following:
#fetchtool in a Chat sessionAfter consideration, we have removed the dependency on the trusted domains service for Chat-related features due to the expanded security consideration of Chat features over opening a URL in the browser. The new behavior for these 2 features is as followed:
#fetchtool confirmation: Confirmation is showed for each URL, regardless of domain, once per session... you also have the ability to auto-approve#fetchtool calls if you accept that riskPatches
The fix is available starting with VS Code 1.100.1. The fix (7ffa080) mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Do not use Chat or open suspicious URLs.
References