Skip to content

SECURITY: Brainstorming and Tracker to prevent getting pwned #32

Description

@Mupu

Currently, simply opening a project can get you compromised, as the LSP will run all #run in the code base.

To prevent such a case or at least reduce the risk of that happening, I was thinking of the following:

  • Include a disclaimer in the description of the Jails as well as in the VS Code Extension description.

VSCODE:

Other editors (nvim, etc.):
The bigger question is can we do something about other editors, that we don't support?
One solution would be to do something like nvim, where the LSP keeps a trust store of what files to trust. But since it's the LSP it would not be that usable, since it can not offer any Popup to make managing it simple. Maybe we don't have any good solution for this case.

  • Maybe we could at least let the client enable/disable the functionaity by letting the client specify it via the capabilities as a best effort solution for the unsupported editors.

Feed back would be appreciated!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions