Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unverified VS Code Publisher #123

Open
jb-asi opened this issue Sep 18, 2024 · 3 comments
Open

Unverified VS Code Publisher #123

jb-asi opened this issue Sep 18, 2024 · 3 comments
Labels
help wanted Extra attention is needed

Comments

@jb-asi
Copy link

jb-asi commented Sep 18, 2024

Describe the bug
A third-party-extension security rater (similar to Snyk) has given this repo's VS Code Extension a "medium" threat level due to:

Publisher didn't verify their listed domain ownership. Publisher verification is a good practice to ensure the publisher is who they say they are. Yet, VS Code publisher verification process is not rigorous enough.

Link here.

Expected behavior
Please consider if it would be simple and convenient to become "verified" as a publisher. If so, perhaps it may be something you would be willing to do. Or not!

Original error
[Not applicable]

Screenshots
[Not applicable]

@jb-asi jb-asi added the bug Something isn't working label Sep 18, 2024
@jb-asi
Copy link
Author

jb-asi commented Sep 18, 2024

Also, really love this extension. Congratulations on its success!

@kevinramharak
Copy link
Contributor

Hi, thanks for reporting this. FYI, I'm not the extension author; I'm just an enthusiast who contributes a little bit.

Looking into this for a few minutes I found this article: https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171
This explains why extensiontotal marks it as a medium-level threat. Although I agree with their assessment about lacking verification on the VS Code extension marketplace, this warning (in my understanding) will appear on any extension where the listed homepage/repository is pointing to a domain they have not verified ownership of.

As this is the actual repo and homepage of the ts-pretty-errors extension, in this case the warning is just exactly what it is: a warning. Using an actual verified domain as the homepage for the extension seems like a bit much just to get rid of a warning on a third-party site.

I think they point out a very valid flaw, I hope the VS Code team takes it seriously and works to improve this attack vector.
But it also reads like an advertisement for extensiontool as a product. So do keep that in mind.

@yoavbls
Copy link
Owner

yoavbls commented Nov 23, 2024

Thank you @jb-asi and @kevinramharak,
Actually, I've been waiting for approval from Microsoft for a very long time.
I fulfilled the requirements but still no comment from their side.

If anyone can help speed things up it will be really appreciated

@yoavbls yoavbls added help wanted Extra attention is needed and removed bug Something isn't working labels Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

3 participants