plugin should switch to least privelege permissions

microsoft / vscode-pull-request-github

GitHub Pull Requests for Visual Studio Code

https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-pull-request-github

MIT License

2.3k stars 575 forks source link

plugin should switch to least privelege permissions #1460

Open nija-at opened 4 years ago

nija-at commented 4 years ago

Thanks for this wonderful plugin! However, I'm hesistant on authorizing this plugin to do EVERYTHING on my Github account.

The plugin requests Github authorization for write (and read) on EVERYTHING - including repo, team discussions, wiki, etc.

Firefox_Screenshot_2019-12-07T23-44-17 244Z

Could we switch to using least privilege permissions, where the default set of permissions is scoped down to what's required and the plugin gracefully degrades features based on permissions it is granted?

Extension version: 0.13.0

martintoreilly commented 4 years ago

I came here to ask the same. I'm particularly worried about providing access to permissions that are only available to admins, such as repo settings, collaboration invites, deploy keys and webhooks. In the web interface, these are protected by a re-authentication prompt when accessing the "Settings" tab to enter a time-limited "super user" mode. Therefore providing perpetual access to these aspects of the API to a development tool feels like bad practice (or at least something that shouldn't be the default).

RMacfarlane commented 4 years ago

Currently we're using an OAuth App to authorize users, and the permission model for this lacks granularity. The scopes we can request are listed here: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

To be able to read code in this model, we have to request the repo scope, which is very powerful.

We've discussed moving to a GitHub App which has a more granular permissions model, but there isn't full parity between the tokens issued by that and what we're currently using - some APIs will simply not work there.

So, I totally agree that we should further limit the permissions we request, but I don't think this is something we can currently change/

martintoreilly commented 4 years ago

Thanks for the quick response @RMacfarlane. Out of curiosity, what's the functionality the VS Code plugin needs that the GitHub App API doesn't support?

It may still be possible to use the OAuth App in our context if we can verify that the API key is sufficiently secured on the client machine such that the risk of malware on the client machine accessing the key is low. Is this stored in the operating system's key management system (e.g. Key Chain on macOS) and is access restricted to VS Code?

DennisDyallo commented 3 months ago

Hi! Any updates on this?

It's four years later and the plugin still demands extreme permissions. I'm sure I'm not the only one who would appreciate a bump in priority for this issue as it reflects poorly and frankly prohibits usage for users/organisations who care about minimizing 3rd party risk.

Thank you.