Visual Studio Code Extension Code Runner Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in the Visual Studio Code extension Code Runner, specifically in version 0.12.2. The issue arises from the extension's code-runner.executorMap setting, which can be manipulated to execute unauthorized commands when a crafted workspace is opened. This vulnerability exploits unsafe command execution practices by using Node.js's child_process.spawn() with the shell: true option, allowing attackers to inject commands through user-controllable configuration settings.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host machine, with the potential for persistence through modified settings.

Reproduction

To reproduce this vulnerability, first, alter the 'code-runner.executorMap' setting in the global settings.json file to include a malicious command. For example, inject a reverse shell command disguised as a legitimate executor for a supported language like Python. Once the executorMap is updated, any workspace opened will inherit the malicious command. When Code Runner is used to execute a file in the chosen language, the injected command will be executed, establishing a reverse shell connection to the attacker's specified IP and port.