search

trailofbits / vscode-weaudit

Create code bookmarks and code highlights with a click.
https://marketplace.visualstudio.com/items?itemName=trailofbits.weaudit
GNU General Public License v3.0
169 stars 16 forks source link

Multi-root workspaces #34

Open lime opened 4 months ago

lime commented 4 months ago

Hi, thanks for releasing a really useful tool!

I'm using weAudit in a multi-root workspace, and struggling a bit to keep findings and filepaths from breaking.

I can probably work around it by skipping the workspace, and working directly from the root folder instead, but that means having to work without certain other useful extensions. I thought I'd share an example, if someone wants to take a stab at improving support for multi-root workspaces.

Steps to reproduce

  1. Create and save a new workspace (File → Save Workspace As...)
  2. Add two or more directories (e.g. api & frontend) (File → Add Folder to Workspace...)
  3. Create a weAudit finding in each directory
  4. weAudit creates the .vscode dir in the topmost directory
    • Example workspace with API & frontend directories, and a .vscode directory created by weAudit weAudit findings, one in the API and one in the frontend
  5. Navigating and editing the findings works exactly as expected
  6. Close and reopen the workspace
  7. weAudit fails to load the findings, and shows an error about findings outside the workspace
    • Error message: 'Trying to import entries with regions outside this workspace: ../frontend/index.html'

Analysis

Opening the *.weaudit file, we see that .treeEntries[].locations[].path are relative to the first directory, api:

{
   /* ... */
  "treeEntries": [
    {
      "label": "Server-side vuln",
      "entryType": 0,
      "author": "lime",
      "locations": [
        {
          "path": "server.ts",
          "startLine": 1,
          "endLine": 1,
          "label": "",
          "description": ""
        }
      ],
      "details": {/* ... */}
    },
    {
      "label": "Client-side vuln",
      "entryType": 0,
      "author": "lime",
      "locations": [
        {
          "path": "../frontend/index.html",
          "startLine": 6,
          "endLine": 6,
          "label": "",
          "description": ""
        }
      ],
      "details": {/* ... */}
    }
  ],
  /* ... */
}

When loading, it gets tripped up on the fact that the finding is outside the "workspace path", i.e. the directory containing .vscode/, even though the file is in fact part of the current workspace.

https://github.com/trailofbits/vscode-weaudit/blob/74efbc2a2f65134367cdf920ad17cb435d09b092/src/codeMarker.ts#L1621-L1623

I don't know if the VSCode API allows for easily checking "is this file part of the workspace". I suppose it could be as straightforward as looping through vscode.workspace.workspaceFolders and doing the same check for each..?

fcasal commented 4 months ago

Hi @lime , thanks for opening a detailed issue. This is a known limitation of the tool as we currently assume there is a single workspace open.