-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add extension runtime security article #7920
base: main
Are you sure you want to change the base?
Conversation
@seaniyer Here's the first draft of the dedicated article that discusses extension runtime security. I've reused most of the content that was previously in the FAQ section of the Extension Marketplace article. Can you review and provide feedback if there are other Marketplace measures we need to include? Thanks! |
@isidorn First version of this new doc available for your review. TO DO:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great first stab at this document.
I will share it with folk on the MP side and @sandy081 could also give it a read
fyi @joaomoreno
|
||
* **Name squatting**: The Marketplace stops extension authors from stealing the names of official publishers, such as Microsoft or RedHat, and popular extensions, like GitHub Copilot. | ||
|
||
* **Kill List**: If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace and added to a *kill list*. If the extension has been installed, it's automatically uninstalled by VS Code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is using the word "kill" fine in docs?
I think yes, but wanted to double check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use another word. maybe "block list"?
|
||
1. Open the extension's page in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode). | ||
|
||
1. Select the **Report a concern** link at the bottom of the extension **More Info** section. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add our SLA for response @seaniyer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initial response is 1 business day. That might only be an acknowledgement. We depend on a lot of factors for the actual action - 3 business days.
|
||
1. Select the **Report a concern** link at the bottom of the extension **More Info** section. | ||
|
||
## Related resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There need s to be a link somewhere to https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions
The approach would be "Do you want to configure what extensions are allowed in your orgranisation, check out ...."
The Visual Studio Code Marketplace employs several mechanisms to protect you from malicious extensions: | ||
|
||
* **Malware scanning**: The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several antivirus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a section about detonation. Not disclosing everything that is being done, but just that we have a dynamic detection mechanism in a clean room VM.
* **Verified publishers**: Publishers can verify (blue check mark) their identity by proving domain ownership. It shows that the publisher has proven domain-name ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. | ||
|
||
* **Name squatting**: The Marketplace stops extension authors from stealing the names of official publishers, such as Microsoft or RedHat, and popular extensions, like GitHub Copilot. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Detection of inflated downloaded counts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hesitant to let bad actors know that we have this mechanism. Maybe if we keep it generic enough... otherwise we risk giving too many details and help them bypass.
The goal of this doc is to:
|
Fixes #7874