microsoft / live-share

Real-time collaborative development from the comfort of your favorite tools
http://aka.ms/vsls
Creative Commons Attribution 4.0 International
2.28k stars 253 forks source link

liveshare.languages.allowGuestCommandControl can be written by a guest to a workspace settings.json to enable control, circumventing the host enabling it #4973

Open devzeebo opened 1 year ago

devzeebo commented 1 year ago

Describe what happened:

What was your system configuration? Live Share Extension Version: 1.0.5883

Version: 1.82.2 (user setup) Commit: abd2f3db4bdb28f9e95536dfa84d8479f1eb312d Date: 2023-09-14T05:55:25.390Z Electron: 25.8.1 ElectronBuildId: 23779380 Chromium: 114.0.5735.289 Node.js: 18.15.0 V8: 11.4.183.29-electron.0 OS: Windows_NT x64 10.0.22621

Steps to Reproduce / Scenario:

  1. Join a live share session as a guest
  2. Create or open the workspace's .vscode/settings.json
  3. Add "liveshare.languages.allowGuestCommandControl": true
  4. Save the file
  5. You can now run Quick Fixes as the guest user

Please attach logs to this issue: You can access them via the Live Share: Export Logs command from the command palette (ctrl + shift + p) and attach them to this issue

Screenshots If applicable, add screenshots to help explain your problem.

blabute commented 5 months ago

Good afternoon!

My team recently ran into this as well but we added a .vsls.json file in our workspace to prevent folks from seeing or editing the .vscode/settings.json file per this.

Below is the contents of that file:

{
  "$schema": "http://json.schemastore.org/vsls",
  "gitignore": "exclude",
  "excludeFiles": [".gitignore", ".vscode/settings.json", "!node_modules"],
  "hideFiles": [".gitignore"]
}
devzeebo commented 2 months ago

Wouldn't you need to also add the .vsls.json file to itself so that a malicious user can't edit this file to access as well? Seems like a reasonable enough workaround

blabute commented 2 months ago

I can't prove why it happens, but the .vsls.json file is not visible within a liveshare session if you are not the host. I'm not sure if that file is hidden automatically by the extension for that very reason.