Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VSCode shouldn't allow extensions to disable TLS #69559

Closed
connorshea opened this issue Feb 27, 2019 · 5 comments
Closed

VSCode shouldn't allow extensions to disable TLS #69559

connorshea opened this issue Feb 27, 2019 · 5 comments
Assignees
@chrmarti
Labels
extension-host Extension host issues feature-request Request for new features or functionality
Milestone
Backlog Candidates

Comments

@connorshea
Copy link
Contributor

I'm not sure how hard it would be to prevent extensions from doing this, but recently it was found that a particularly popular extension had set NODE_TLS_REJECT_UNAUTHORIZED to 0, which – to my understanding – causes any editor with that extension installed to allow any HTTPS connections regardless of whether their TLS certificate is valid.

I'd argue that extensions should never be allowed to do this. Though there may be certain edge cases where this'd be necessary, it almost definitely isn't worth the risk to the average user.

I'm not a security professional, but I couldn't find any existing issues on the topic so I felt like I needed to open this.

Thanks for the great editor!
@vscodebot vscodebot bot added the extensions Issues concerning extensions label Feb 27, 2019
@sandy081 sandy081 removed their assignment Mar 3, 2019
@sandy081 sandy081 added extension-host Extension host issues and removed extensions Issues concerning extensions labels Mar 3, 2019
@alexdima
Copy link
Member

alexdima commented Mar 5, 2019

@chrmarti @joaomoreno It looks like we have encountered this in the past, as documented at https://code.visualstudio.com/docs/setup/network#_ssl-certificates

Is there a way to generalize those flags to the extension host given all the proxy work?

@chrmarti
Copy link
Collaborator

chrmarti commented Mar 5, 2019

We can look into applying any of these flags to the extension host. I see the extension has removed that flag for its upcoming version, so I guess we are good for now.

@chrmarti chrmarti added the feature-request Request for new features or functionality label Mar 5, 2019
@joaomoreno joaomoreno removed their assignment Oct 8, 2019
@kisstkondoros kisstkondoros mentioned this issue Jan 20, 2020
Closed
@alexdima alexdima removed their assignment Feb 28, 2020
@alexdima alexdima added this to the Backlog Candidates milestone Feb 28, 2020
@vscodebot
Copy link

vscodebot bot commented Feb 28, 2020

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 20 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

@github-actions github-actions bot locked and limited conversation to collaborators Jun 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chrmarti chrmarti

Labels
extension-host Extension host issues feature-request Request for new features or functionality
Projects
None yet
Milestone
Backlog Candidates
Development

No branches or pull requests
6 participants
@joaomoreno @connorshea @alexdima @chrmarti @sandy081 and others