Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Configuration variables: unsafe file path usage

See original GitHub issue

The variableResolver seems to have a few variables that are derived based on the currently active editor:

https://github.com/microsoft/vscode/blob/b1c54c1483e2dfcf3101f233b3f8f28436127fba/src/vs/workbench/services/configurationResolver/browser/configurationResolverService.ts#L54-L54

The file path casing can be anything and must not necessarily match the casing on disk. As such I think the variables relativeFile and relativeFileDirname need to use the IURIIdentityService to compute the relative paths here:

https://github.com/microsoft/vscode/blob/3808cb3712e651cb96b4ccfe48c05d2fbd5f23cf/src/vs/workbench/services/configurationResolver/common/variableResolver.ts#L271-L271

and

https://github.com/microsoft/vscode/blob/3808cb3712e651cb96b4ccfe48c05d2fbd5f23cf/src/vs/workbench/services/configurationResolver/common/variableResolver.ts#L281-L281

//cc @jrieken

Issue Analytics

State:
Created 3 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

jriekencommented, Oct 7, 2020

I am actually no longer so sure that path casing is ignored, @jrieken is that handling for file URI intentional?

Only @aeschli knows, he wrote those utils and I didn’t change their semantics when moving them to IExtUri. But, yeah it seems that there is some scheme and platform specific handling in there and I don’t think that is good.

0reactions

bpaserocommented, Oct 7, 2020

I opened https://github.com/microsoft/vscode/issues/108256

Top Results From Across the Web

Safe File Variables (GNU Emacs Manual)

File -local variables can be dangerous; when you visit someone else's file, there's no telling what its local variables list could do to...

File path formats on Windows systems | Microsoft Learn

Relative paths are dangerous in multithreaded applications (that is, most applications) because the current directory is a per-process setting.

I cannot add the parent directory to *safe.directory* in Git

git config --global --add safe.directory F:/GitHub/my-project ... of copy/pasting files, would be to make Visual Studio use the global ...

Danger of setting the environment variable 'PATH' with a '.'?

on the path, especially as the first place to search is dangerous ... likely to inadvertantly execute (for example by creating a file...

Path Traversal | OWASP Foundation

By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible ......