Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Implement a policy-settings mechanism for approving/blocking extensions

See original GitHub issue

Hello! We (Trail of Bits Engineering Team) have been asked by one of our clients to contribute a feature to Visual Studio Code, and before we even begin we wanted to introduce ourselves and our plan and get feedback on (or approval for) our plan from the core maintainers of this repo. The proposed changes are to how the editor interfaces with the Extensions Marketplace, so it will only be useful if the changes can be upstreamed. In fact, we may need to coordinate with the VSCode open-source maintainers to even test builds that integrate the Extension Marketplace, present only in Microsoft builds of VSCode. We would appreciate your feedback on how/whether to proceed.

Feature Request

Enhance VSCode with the basic features for extension management:

  • The ability to define an extension update policy
    • The policy would include a setting whether to allow side-loading of extensions (as VSIX files)
  • With this policy, control whether VSCode can install, update, or load/run any given extension
    • Blacklist by extension ID
    • Whitelist by extension ID
  • Pinning an extension to a particular version, allowing its continued use or the installation of that version, but preventing an update
  • Prevent the use of extensions newer than some specified age (allowing for a “cooling off period” for new or untested extensions)

We plan to implement the extension management policy using an approach modeled on the extension management policy features in Google Chrome (and later by Mozilla, who based the extension management model of Firefox heavily on the one in Chrome), but without (at this time) its concept of a per-extension permissions model.

Deployment of the extension management policy to the managed systems would be handled out-of-band by the system’s administrator, but it would be included within or referenced from the user’s settings.json file. Right now we’re not proposing to add any special controls to the settings editor UI of VSCode for editing this extension management policy. The policy will only be editable as JSON, as many other advanced features in VSCode are currently edited.

We acknowledge that, for the time being, this file is within control of the user. For now, we’re going to ignore that (it is tracked in #27972)

Proposed UI changes

  • Ensure that the VSCode extension UI elements presented to the user explain that an extension is blacklisted by their policy, and/or indicate such with a visual change. User should still be able to see blacklisted extensions in the marketplace, but just have their ability to install them blocked with a message (a configurable message also defined in the policy, with a clickable URL for more information and help), such as “this extension has been blocked by your policy; ask your admin.”
  • Ensure that the VSCode extension marketplace UI indicates to the user when only certain versions of the extension are blocked. In this case, the installable version should be indicated, and a visual change in the UI should indicate the relevant release notes for that version.

Related Issues

Client sponsor

Our client, who has agreed to participate in this discussion, is @zabicki-stripe

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:43
  • Comments:10 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
chrisdiascommented, Mar 24, 2020

Providing organizational level security is on our 2020 roadmap (Make consumption of extensions more secure…) so this is a good topic, thank you.

As @sandy081 mentions this is a significant feature area that we want to allocate time and resources for to do a comprehensive design and implementation, which makes it difficult right now to accept external contributions.

Per our roadmap, you can expect that we will look at this over the next 6-12 months.

1reaction
emilkloedencommented, Dec 15, 2022

Hello.

I represent a small company 50-100 employees, with an internal development team comprising approx. 10-15 developers, testers and business intelligence users who all use Visual Studio Code. We have two goals that I’d like to address: to obtain a degree of consistency of extensions installed across devices, and the facility to control that centrally. To that end I had the bright idea of creating a feature request only to learn that this request already exists (and has for three years 🙄😄). Nevertheless, I was asked to share our use case here 😃.

Having an allow-list policy would enable us to limit the set of extensions that can be installed across the workplace in a simple-to-manage manner, however a model similar to Firefox’s ExtensionSettings policy would allow us to explicitly control the entire set (noting that only the ‘installation_mode’ and possibly ‘blocked_install_message’ properties might be appropriate here).

Firefox example

{
  "*": {
    "blocked_install_message": "Custom error message.",
    "install_sources": ["https://yourwebsite.com/*"],
    "installation_mode": "blocked",
    "allowed_types": ["extension"]
  },
  "uBlock0@raymondhill.net": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
  },
  "https-everywhere@eff.org": {
    "installation_mode": "allowed"
  }
}

Possible VS Code example

{
  "*": {
    "blocked_install_message": "This extension has been blocked by your organisation.",
    "installation_mode": "blocked"
  },
  "ms-python.python": {
    "installation_mode": "force_installed"
  },
  "vscodevim.vim": {
    "installation_mode": "allowed"
  }
}

To date we have addressed our requirements by installing extensions to a non-user-writable location and setting the (undocumented - I believe) VSCODE_EXTENSIONS environment variable to point to that folder - but this is brittle at best.

Thanks for your time.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Microsoft Edge Browser Policy Documentation
Windows and Mac documentation for all policies supported by the Microsoft Edge Browser.
Read more >
Set Chrome app and extension policies (Windows)
You can control whether an app or extension is blocked, allowed, or automatically installed on devices. This overrides the ExtensionInstallForcelist policy. In ...
Read more >
Browser Extensions, Technique T1176 - MITRE ATT&CK®
Grandoreiro can use malicious browser extensions to steal cookies and ... Block Chrome Extensions using Google Chrome Group Policy Settings.
Read more >
App Store Review Guidelines - Apple Developer
4.1 Copycats; 4.2 Minimum Functionality; 4.3 Spam; 4.4 Extensions ... To help your app approval go as smoothly as possible, review the ...
Read more >
Dynamic Object and Rule Extensions for AWS Network Firewall
Create dynamic objects and rules via APIs and validate such requests against organizational policy-as-code and/or security approval processes. AWS Solution ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Make registerDiffInformationCommand public

Next page

Add vscode.workspace.fs.createWriteStream().