-
-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GIANT SECURITY HOLE: Settings Sync captures contents of open files and its history #1348
Comments
Yeah, I'm also seeing this, although the history files simply list the file name, not its contents. Still, this is bothersome. I hope they update this to allow disabling of these history files. It's also causing a continual sync, since the history files are changed on every save, which causes Settings Sync to notice and sync every save. |
I had a public gist with the contents of my open tabs that I definitely didn't want to be synced. I've deleted the gist but I can still repro this in a private gist. This is bad. Like really really really bad slurping the contents of the user's open tabs and it's undo history. |
For those who can read and are able to use the search functionality: browse the repo issues, that is NOT a "giant security hole". Please update the title, as it is misleading or at least do a little research beforehand. |
Uploading user files is absolutely a giant security hole. It's not Settings Sync's fault, but it's definitely a security problem that needs to be address in the next update. |
Just setting up VScode and saw the settings wanted Github access from this user's account. After seeing this issue, I declined and will not be using settings sync. The problem is the potential for me to forget this behavior exists. If at any point a bug is found in VSCode when setting gists as "secret", then any code can be exposed publicly on GitHub. It's just too risky, sorry. |
This solution worked, btw: |
This could solve: "ignoreUploadFolders": [
"sync",
"workspaceStorage",
"History"
], |
Sorry for my arguing, guys, thats not the thing I had to share, specially in github issues. I don't check my gist too often, but my mac made a kernel panic with its lid being closed (yea, lol) and f&cked up with some of my configuration files, replaced them with aliases. VsCode was not an exception. So I had to start by scratch, went into gist.github.com and... MAN WHAT THE F*CK!?!?!?!??!?! Entire gist with settings was not be able to be opened fine like months ago. And it was spammed with these history files.. All kinda private things and stuff.. Well, okay, people make mistakes sometimes, I understand. Though, why non of developers made a critical announcement on update about what happened and what to do next?? That blows my mind. |
Any updates about this? |
I too fell into this giant security hole.
I could think of nothing else to do but uninstall Settings Sync and use official "Visual Studio Code Settings Sync". (Why does it have the same name?) https://code.visualstudio.com/docs/editor/settings-sync Sorry for the long post. |
22.05.2023, had the same issue, my activity monitor had like 6 tasks called |
I posted a link to an alternative here #1429. |
This commit will: - Add MarkdownLint - remove Settings sync (deprecated by VSCode) Links: - https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint - shanalikhan/code-settings-sync#1348 Signed-off-by: Vinay Hegde <[email protected]>
🐛 Describe the bug
A clear and concise description of what the bug is. You are always welcome to check the Troubleshooting section before filing the ticket.
🌴 Visual Studio Code Version : v1.66.2
🌴 Code Settings Sync Version : v3.4.3
🌴 Standard or Insiders : Standard
🌴 Portable or Installed : Installed
🌴 OSS or Official Build : Official
🌴 Operating System :
🌴 Occurs On: Upload
🌴 Proxy Enabled: No
🌴 Gist Id:
An automated sync uploaded the contents of a git ignored tab which contained secrets to a public gist.
Previously settings sync only uploaded extension list, vscode settings, keybindings. But it seems it now captures UI state including the contents of open tabs. This is a huge security hole.
The files are named
History|-46774cc7|entries.json
,History|-46774cc7|entries.json
e.t.cIt seems this plugin is capturing not only the current open tabs but also the undo history of the file. The gist is massive and contains so much sensitive information.
Please fix this.
📰 To Reproduce
Steps to reproduce the behavior:
💪 Expected behavior
Only sync settings. Not the files users have open in VSCode.
📺 Additional context
The text was updated successfully, but these errors were encountered: