search

yoavbls / pretty-ts-errors

🔵 Make TypeScript errors prettier and human-readable in VSCode 🎀
https://marketplace.visualstudio.com/items?itemName=yoavbls.pretty-ts-errors
MIT License
13.55k stars 91 forks source link

Unverified VS Code Publisher #123

Open jb-asi opened 2 months ago

jb-asi commented 2 months ago

Describe the bug A third-party-extension security rater (similar to Snyk) has given this repo's VS Code Extension a "medium" threat level due to:

Publisher didn't verify their listed domain ownership. Publisher verification is a good practice to ensure the publisher is who they say they are. Yet, VS Code publisher verification process is not rigorous enough.

Link here.

Expected behavior Please consider if it would be simple and convenient to become "verified" as a publisher. If so, perhaps it may be something you would be willing to do. Or not!

Original error [Not applicable]

Screenshots [Not applicable]

jb-asi commented 2 months ago

Also, really love this extension. Congratulations on its success!

kevinramharak commented 2 months ago

Hi, thanks for reporting this. FYI, I'm not the extension author; I'm just an enthusiast who contributes a little bit.

Looking into this for a few minutes I found this article: https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171 This explains why extensiontotal marks it as a medium-level threat. Although I agree with their assessment about lacking verification on the VS Code extension marketplace, this warning (in my understanding) will appear on any extension where the listed homepage/repository is pointing to a domain they have not verified ownership of.

As this is the actual repo and homepage of the ts-pretty-errors extension, in this case the warning is just exactly what it is: a warning. Using an actual verified domain as the homepage for the extension seems like a bit much just to get rid of a warning on a third-party site.

I think they point out a very valid flaw, I hope the VS Code team takes it seriously and works to improve this attack vector. But it also reads like an advertisement for extensiontool as a product. So do keep that in mind.

yoavbls commented 1 week ago

Thank you @jb-asi and @kevinramharak, Actually, I've been waiting for approval from Microsoft for a very long time. I fulfilled the requirements but still no comment from their side.

If anyone can help speed things up it will be really appreciated