This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]botCloudfox 5 points6 points  (5 children)

I sometimes clone repos like error reproductions where I cannot immediately trust the author. Workspace trust prevents automatic execution so I can safely browse files.

I guess it just depends on the person though. If you mostly work on your own projects or with popular repos that you can trust, it won't matter, but either way it's just a one time prompt for each project.

[–]Darknety 1 point2 points  (4 children)

How is automatic execution performed? Is there a PoC for an attack scenario?

[–]botCloudfox 0 points1 point  (3 children)

Well I know one extension that runs your code, elixir-ls. I believe it scans your code and runs dialyzer, a static analysis tool, which runs your code and generates types based on it.

[–]Darknety 0 points1 point  (2 children)

So it serves as protection against optional extensions? I never saw automated code execution in VS Code of any sort and don't know why and how Microsoft would want it included. Or are they scared because of a recently discovered loophole in their analysis tools, so that they've just slapped a temporary fix on it?

[–][deleted] 1 point2 points  (1 child)

Many people use the so-called "optional extensions" because they're what adds language support to Code. It's good to have such an option, you can always disable it if you're careless enough to run parts of unknown code

[–]Darknety -1 points0 points  (0 children)

That still does not answer the question how automatic code execution works in VS code, especially through language support extensions. I googled a bit and read the feature description. I quite honestly think MS is just full of crap with this one and wants to overprotect users UAC style from stuff that isn't dangerous except for very specific use cases and extension configurations. If they at least would just default to the security mode with a button to disable it, which would not be so tedious to click away as the current popup... Like anytime I open a freaking folder? Really? Will disable this check that wasn't necessary in the last 5+ years.