Stop using --ms-enable-electron-run-as-node flag since it's no longer supported.
I reached out to the VS Code team for more clarification on this flag and what it does:
The flag was added originally as a fix for an MSRC case reported against VS Code desktop application on macOS. The attack used the ELECTRON_RUN_AS_NODE mode to start VS Code application as a node process to execute malicious scripts from within an sandboxed application using NODE_REQUIRE env flags. Mac app sandbox disallows command line flags when launching external applications but does allow env variables hence the attack became possible. So this also provided a way for us to disable the attack by only the ELECTRON_RUN_AS_NODE mode be available when
--ms-enable-electron-run-as-node is passed alongside. This was a patch we carried on top of Electron for a while and eventually upstreamed it with a different solution
https://github.com/electron/electron/commit/f842ead6bc627afdf5b945305abb3e1872b558ef
. Hence the flag is now obsolete.
I also asked why ELECTRON_RUN_AS_NODE is still needed, when the flag is not:
If we want to fork a child process as a node.js process from within the application then the env variable is needed.
This fix addresses https://github.com/microsoft/vscode-azure-account/issues/959
Stop using
--ms-enable-electron-run-as-nodeflag since it's no longer supported.I reached out to the VS Code team for more clarification on this flag and what it does:
I also asked why
ELECTRON_RUN_AS_NODEis still needed, when the flag is not:Some reference PRs on the VS Code side: https://github.com/microsoft/vscode/pull/202053 https://github.com/microsoft/vscode-remote-ssh/pull/397