Vscode Spell Checker Workspace-Trust Bypass Leading to Code Execution Vulnerability

A vulnerability in the Vscode Spell Checker extension prior to version 4.5.4 allows for arbitrary code execution by bypassing the workspace trust feature in Visual Studio Code. The issue arises because the extension automatically trusts workspaces based on a configurable setting, 'cSpell.trustedWorkspace', which defaults to true. When an untrusted workspace is opened, the extension can still execute malicious JavaScript or TypeScript configuration files, such as '.cspell.config.js', under the user's privileges. This vulnerability could be exploited by placing a harmful configuration file in a workspace and opening it in VS Code, leading to the execution of attacker-controlled Node.js code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the Visual Studio Code extension host, with full access to the user's files and network.

Reproduction

To reproduce this vulnerability, first ensure that the Vscode Spell Checker extension is installed with the default settings, leaving 'cSpell.trustedWorkspace' set to true. Then, create a malicious repository containing a custom '.cspell.config.js' file with harmful Node.js code, such as commands to execute or files to write. Clone this repository and open it in Visual Studio Code, allowing the extension to run. The extension will fetch the configuration, recognize it as trusted, and execute the malicious code in the background. Verification can be done by checking for the execution of the injected commands or the creation of specified files, such as '/tmp/pwned.txt'.

Remediation

Users can update to Vscode Spell Checker version 4.5.4 or later, where this vulnerability has been fixed.