Unexpected automatic download including rg.exe

[BurtHarris]

Issue Type: Bug

Not sure. When I work my machine today and started working, an automatic download notification appeared: The main part of the message said: "rg.exe is downloading from OneDrive - sigilnet":

The download was totally unexpected and was more than 20GB. Because the source mentioned "OneDrive - sigilnet" is a business resource, I treated it as a security incident. Checking online, there's no file named rg.exe in that OneDrive, or in my personal OneDrive.

Searching online, I did find that there's a rg.exe associated with an add-in named vscode-rigrep, but I've never installed that addin.

I found a copy of rg.exe in C:\Users\burt_\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\vscode-ripgrep\bin. The file size (5038 KB)is nowhere near big enough to explain the download size. The file appears to have a Microsoft code signature. I'll attach it if I can figure how to do that.

Any assistance understanding what happened would be helpful.

VS Code version: Code 1.56.2 (054a9295330880ed74ceaedda236253b4f39a335, 2021-05-12T17:13:13.157Z) OS version: Windows_NT x64 10.0.21387

System Info

|Item|Value| |---|---| |CPUs|Intel(R) Core(TM) i9-10850K CPU @ 3.60GHz (20 x 3600)| |GPU Status|2d_canvas: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
oop_rasterization: enabled
opengl: enabled_on
rasterization: enabled
skia_renderer: enabled_on
video_decode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled| |Load (avg)|undefined| |Memory (System)|31.89GB (16.39GB free)| |Process Argv|--crash-reporter-id 027c4152-e4d8-41ae-a300-e65603d34aac| |Screen Reader|no| |VM|0%|

Extensions (26)

Extension|Author (truncated)|Version ---|---|--- vscode-zipfs|arc|2.3.0 vscode-open-file-folder|auc|0.0.4 github-markdown-preview|bie|0.0.2 markdown-checkbox|bie|0.1.3 markdown-emoji|bie|0.1.0 markdown-preview-github-styles|bie|0.2.0 markdown-yaml-preamble|bie|0.0.4 npm-intellisense|chr|1.3.1 vscode-markdownlint|Dav|0.41.0 githistory|don|0.6.16 xml|Dot|2.5.1 gitlens|eam|11.4.1 EditorConfig|Edi|0.16.4 vscode-npm-script|eg2|0.3.21 git-project-manager|fel|1.7.1 vscode-yarn|gam|1.7.1 vscode-pull-request-github|Git|0.26.0 vscode-test-explorer|hbe|2.20.1 remote-containers|ms-|0.177.2 remote-wsl|ms-|0.56.3 powershell|ms-|2021.2.2 vscode-print|pdc|0.9.4 karma-problem-matcher|rct|1.0.1 LiveServer|rit|5.6.1 linter-xo|sam|2.3.3 quokka-vscode|Wal|1.0.368

A/B Experiments

``` vsliv368cf:30146710 vsreu685:30147344 python383:30185418 pythonvspyt678:30270856 pythonvspyt602:30300191 vspor879:30202332 vspor708:30202333 vspor363:30204092 pythonvspyt639:30300192 pythontb:30283811 pythonvspyt943:30300582 vspre833cf:30267465 pythonptprofiler:30281270 vshan820:30294714 pythondataviewer:30285071 vscus158:30286553 vscgsv2:30307504 vscorehovct:30302760 bridgeflightcf:30302070 vscod805cf:30301675 ```

[BurtHarris]

[BurtHarris]

zip file containing the .exe file found at C:\Users\burt_\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\vscode-ripgrep\bin

rg.zip

[roblourens]

It sounds like you opened a folder in onedrive with offline files, and did a search (or an extension triggered a search), which causes onedrive to download the files to your local disk. Does that sound right? It's not clear what the right thing to do is. I am not sure there's any way for us to control whether onedrive downloads the files, we are only doing normal file accesses.

[BurtHarris]

Thanks, @roblourens. I'm not sure what you mean by did a search (or an extension triggered a search) but yea, it sort of makes sense. As I look more into this, it's probably not a security issue.

One thought that may explain the timing. I had been having some authentication issue related to the Microsoft 365 account associated with that sigilnet name and did a password reset on it recently. Perhaps when the machine woke, OneDrive discovered it could now authenticate and did the download due to that.

Digging around, I found a fair number of files under C:\Users\burt_\OneDrive - sigilnet\Documents\WindowsPowerShell\Modules\PackageManagement\1.4.7... it looks like they were recently downloaded. There's nowhere near enough files anywhere in the OneDrive - sigilnet folder to explain such a big download, and there are no .exe's in that folder, but a significant number of .dll's

I do have the Powershell vscode extension loaded, so perhaps that may fit the "extension triggered a search" part. I'm willing to close this issue, but if there is someone familiar with the Powershell vscode extension that might comment on this, perhaps you could assign it to them.

[BurtHarris]

I did some searching of the source online. ripgrepFileSearch.ts helped me answer my own questions.

[BurtHarris]

Not a bug.

[roblourens]

FYI, this might be fixed in tomorrow's Insiders, via https://github.com/BurntSushi/ripgrep/discussions/1657