From e7a20e54f897f12796357961882e5887848bd60a Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Tue, 7 Jan 2025 17:12:50 +0100 Subject: [PATCH 1/7] Add extension runtime security article --- docs/editor/extension-marketplace.md | 19 +------ docs/editor/extension-runtime-security.md | 69 +++++++++++++++++++++++ 2 files changed, 70 insertions(+), 18 deletions(-) create mode 100644 docs/editor/extension-runtime-security.md diff --git a/docs/editor/extension-marketplace.md b/docs/editor/extension-marketplace.md index dc8d8e671f..dac2027d96 100644 --- a/docs/editor/extension-marketplace.md +++ b/docs/editor/extension-marketplace.md @@ -353,25 +353,8 @@ Yes, if you would prefer to not have VS Code display extension recommendations i The **Show Recommended Extensions** command is always available if you want to see recommendations. ### Can I trust extensions from the Marketplace? -The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several anti-virus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. -The Marketplace also prevents extension authors from name-squatting on official publishers such as Microsoft and RedHat as well as popular extension names such as GitHub Copilot. - -If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency: - -1. The extension is removed from the Marketplace. -2. The extension is added to a kill list so that if it has been installed, it will be automatically uninstalled by VS Code. - -The Marketplace also provides you with resources to make an informed decision about the extensions you install: - -* **Ratings & Review** - Read what others think about the extension. -* **Q & A** - Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher(s) if you have concerns. -* **Issues, Repository, and License** - Check if the publisher has provided these and if they have the support you expect. -* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an additional signal of trust. It indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. - -![Verified publisher](images/extension-marketplace/bluecheck.png) - -If you do see an extension that looks suspicious, you can report the extension to the Marketplace with the **Report Abuse** link at the bottom of the extension **More Info** section. +The Visual Studio Marketplace employs several measures to protect you from malicious extensions and you can also perform various steps to determine if an extension is reliable before installing it. Get more information about [extension runtime security](/docs/editor/extension-runtime-security.md). ### The extension signature cannot be verified by VS Code diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md new file mode 100644 index 0000000000..8f3d3220bb --- /dev/null +++ b/docs/editor/extension-runtime-security.md @@ -0,0 +1,69 @@ +--- +Order: 4 +Area: editor +TOCTitle: Extension Runtime Security +ContentId: b921a11a-ed69-4716-bc93-589ba8e01e22 +PageTitle: Visual Studio Code Extension Runtime Security +DateApproved: 12/11/2024 +MetaDescription: Learn about the security measures in place for Visual Studio Code extensions, including permissions, user reliability checks, and Marketplace protections. +--- + +# Extension runtime security + +[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The Visual Studio Marketplace has several measures in place to protect you from malicious extensions, and you can take steps to determine if a particular extension is reliable before installing it. + +This document outlines the runtime permissions of extensions in VS Code and the measures in place to protect you from malicious extensions. You will learn how you can make an informed decision about the reliability of an extension before installing it. + +## About extension runtime permissions + +The [extension host](/api/advanced-topics/extension-host.md) is responsible for running extensions in VS Code. The extension host has the same permissions as VS Code itself. This means that any action that VS Code can perform, an extension can also perform through the extension host. + +For example, an extension can read and write files on your machine, make network requests, run external processes, and modify workspace settings. + +## Determine the extension reliability + +Before you install an extension, you can take various steps to determine if it is reliable. The Visual Studio Marketplace provides you with information about the extension to help you make an informed decision. + +* **Ratings & Review** - Read what others think about the extension. + +* **Q & A** - Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher if you have concerns. + +* **Issues, Repository, and License** - Check if the publisher provided these and if they have the support you expect. + +* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an extra signal of trust. The check mark indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. + + ![Verified publisher](images/extension-marketplace/bluecheck.png) + +## Marketplace protections + +The Visual Studio Code Marketplace employs several measures to protect you from malicious extensions: + +* **Malware scanning** - The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several anti-virus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. + +* **Verified publishers** - Publishers can verify (blue check mark) their identity by proving domain ownership. It indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. + +* **Name squatting** - The Marketplace prevents extension authors from name-squatting on official publishers, such as Microsoft or RedHat, and popular extension names such as GitHub Copilot. + +* **Kill List** - If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace added to a kill list. If the extension has been installed, it is automatically uninstalled by VS Code. + +* **Extension Signature Verification** - The Visual Studio Marketplace signs all extensions when they are published. VS Code verifies this signature when you install an extension to check the integrity and the source of the extension package. + +## Report suspicious extensions + +If you do see an extension that looks suspicious, you can report the extension to the Marketplace: + +1. Open the extension's page in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode). + +1. Select the **Report a concern** link at the bottom of the extension **More Info** section. + +## Conclusion + +By understanding the permissions that extensions have, taking steps to verify their reliability, and relying on the protections provided by the Marketplace, you can safely extend the functionality of Visual Studio Code with confidence. + +For more information, visit the [Visual Studio Code Marketplace](https://marketplace.visualstudio.com/VSCode) and the [Extension API documentation](/api). + +## Related resources + +* Learn how to install and manage extensions in [Visual Studio Code](/docs/editor/extension-marketplace.md). + +* Use [Workspace Trust](/docs/editor/workspace-trust.md) to decide whether code in a project folder can be executed by VS Code and extensions without explicit approval. This adds an extra layer of security when working with unfamiliar code. From 00abe97458d285ea2854b57004fb89a1407c4352 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Tue, 7 Jan 2025 19:28:15 +0100 Subject: [PATCH 2/7] Edit pass --- docs/editor/extension-runtime-security.md | 36 ++++++++++------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md index 8f3d3220bb..1658ee38ac 100644 --- a/docs/editor/extension-runtime-security.md +++ b/docs/editor/extension-runtime-security.md @@ -10,9 +10,9 @@ MetaDescription: Learn about the security measures in place for Visual Studio Co # Extension runtime security -[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The Visual Studio Marketplace has several measures in place to protect you from malicious extensions, and you can take steps to determine if a particular extension is reliable before installing it. +[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The Visual Studio Marketplace has many ways to protect you from bad extensions. You can check if an extension is safe before you install it. -This document outlines the runtime permissions of extensions in VS Code and the measures in place to protect you from malicious extensions. You will learn how you can make an informed decision about the reliability of an extension before installing it. +This document outlines the runtime permissions of extensions in VS Code and the measures in place to protect you from malicious extensions. You'll learn how to make an informed decision about the reliability of an extension before installing it. ## About extension runtime permissions @@ -20,48 +20,42 @@ The [extension host](/api/advanced-topics/extension-host.md) is responsible for For example, an extension can read and write files on your machine, make network requests, run external processes, and modify workspace settings. -## Determine the extension reliability +## Determine extension reliability -Before you install an extension, you can take various steps to determine if it is reliable. The Visual Studio Marketplace provides you with information about the extension to help you make an informed decision. +Before you install an extension, you can take various steps to determine if it's reliable. The Visual Studio Marketplace provides you with information about the extension to help you make an informed decision: -* **Ratings & Review** - Read what others think about the extension. +* **Ratings & Reviews**: Read what others think about the extension. -* **Q & A** - Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher if you have concerns. +* **Q & A**: Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher if you have concerns. -* **Issues, Repository, and License** - Check if the publisher provided these and if they have the support you expect. +* **Issues, Repository, and License**: Check if the publisher provided these and if they have the support you expect. -* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an extra signal of trust. The check mark indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. +* **Verified Publisher**: Use the blue check mark next to the publisher's name and domain name as an extra signal of trust. The check mark indicates that the publisher has proven domain-name ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain name and the good standing of the publisher on the Marketplace for at least six months. ![Verified publisher](images/extension-marketplace/bluecheck.png) ## Marketplace protections -The Visual Studio Code Marketplace employs several measures to protect you from malicious extensions: +The Visual Studio Code Marketplace employs several mechanisms to protect you from malicious extensions: -* **Malware scanning** - The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several anti-virus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. +* **Malware scanning**: The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several antivirus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. -* **Verified publishers** - Publishers can verify (blue check mark) their identity by proving domain ownership. It indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. +* **Verified publishers**: Publishers can verify (blue check mark) their identity by proving domain ownership. It shows that the publisher has proven domain-name ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. -* **Name squatting** - The Marketplace prevents extension authors from name-squatting on official publishers, such as Microsoft or RedHat, and popular extension names such as GitHub Copilot. +* **Name squatting**: The Marketplace stops extension authors from stealing the names of official publishers, such as Microsoft or RedHat, and popular extensions, like GitHub Copilot. -* **Kill List** - If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace added to a kill list. If the extension has been installed, it is automatically uninstalled by VS Code. +* **Kill List**: If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace and added to a *kill list*. If the extension has been installed, it's automatically uninstalled by VS Code. -* **Extension Signature Verification** - The Visual Studio Marketplace signs all extensions when they are published. VS Code verifies this signature when you install an extension to check the integrity and the source of the extension package. +* **Extension Signature Verification**: The Visual Studio Marketplace signs all extensions when they're published. VS Code checks this signature when you install an extension to verify the integrity and the source of the extension package. ## Report suspicious extensions -If you do see an extension that looks suspicious, you can report the extension to the Marketplace: +If you do see an extension that looks suspicious, report the extension to the Marketplace team: 1. Open the extension's page in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode). 1. Select the **Report a concern** link at the bottom of the extension **More Info** section. -## Conclusion - -By understanding the permissions that extensions have, taking steps to verify their reliability, and relying on the protections provided by the Marketplace, you can safely extend the functionality of Visual Studio Code with confidence. - -For more information, visit the [Visual Studio Code Marketplace](https://marketplace.visualstudio.com/VSCode) and the [Extension API documentation](/api). - ## Related resources * Learn how to install and manage extensions in [Visual Studio Code](/docs/editor/extension-marketplace.md). From b42586a2afd4cf8270381e8fded4342660a060a7 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Tue, 7 Jan 2025 19:29:27 +0100 Subject: [PATCH 3/7] Add marketplace link --- docs/editor/extension-runtime-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md index 1658ee38ac..f97553fbcd 100644 --- a/docs/editor/extension-runtime-security.md +++ b/docs/editor/extension-runtime-security.md @@ -10,7 +10,7 @@ MetaDescription: Learn about the security measures in place for Visual Studio Co # Extension runtime security -[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The Visual Studio Marketplace has many ways to protect you from bad extensions. You can check if an extension is safe before you install it. +[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode) has many ways to protect you from bad extensions. You can check if an extension is safe before you install it. This document outlines the runtime permissions of extensions in VS Code and the measures in place to protect you from malicious extensions. You'll learn how to make an informed decision about the reliability of an extension before installing it. From 1f296667dd81645f5312ec6700958d57ff475323 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Fri, 10 Jan 2025 14:31:38 +0100 Subject: [PATCH 4/7] Update after review --- docs/editor/extension-runtime-security.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md index f97553fbcd..d6dcaa3fca 100644 --- a/docs/editor/extension-runtime-security.md +++ b/docs/editor/extension-runtime-security.md @@ -34,23 +34,32 @@ Before you install an extension, you can take various steps to determine if it's ![Verified publisher](images/extension-marketplace/bluecheck.png) +> [!TIP] +> If you want to enforce which extensions are allowed to be used in your organization, check out how to [configure allowed extensions in VS Code](/docs/setup/enterprise.md#configure-allowed-extensions). + ## Marketplace protections The Visual Studio Code Marketplace employs several mechanisms to protect you from malicious extensions: * **Malware scanning**: The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several antivirus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. +* **Dynamic detection**: The Marketplace does dynamic detection by verifying the extension's runtime behavior by running it in a sandboxed environment (_clean room VM_). + * **Verified publishers**: Publishers can verify (blue check mark) their identity by proving domain ownership. It shows that the publisher has proven domain-name ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. +* **Unusual usage monitoring**: The Marketplace monitors the downloads and usage patterns of extensions to detect unusual behavior. + * **Name squatting**: The Marketplace stops extension authors from stealing the names of official publishers, such as Microsoft or RedHat, and popular extensions, like GitHub Copilot. -* **Kill List**: If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace and added to a *kill list*. If the extension has been installed, it's automatically uninstalled by VS Code. +* **Block List**: If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, the extension is removed from the Marketplace and added to a *block list*. If the extension has been installed, it's automatically uninstalled by VS Code. * **Extension Signature Verification**: The Visual Studio Marketplace signs all extensions when they're published. VS Code checks this signature when you install an extension to verify the integrity and the source of the extension package. ## Report suspicious extensions -If you do see an extension that looks suspicious, report the extension to the Marketplace team: +If you do see an extension that looks suspicious, report the extension to the Marketplace team. The Marketplace team provides an initial response within one business day. + +To report an extension: 1. Open the extension's page in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode). @@ -61,3 +70,5 @@ If you do see an extension that looks suspicious, report the extension to the Ma * Learn how to install and manage extensions in [Visual Studio Code](/docs/editor/extension-marketplace.md). * Use [Workspace Trust](/docs/editor/workspace-trust.md) to decide whether code in a project folder can be executed by VS Code and extensions without explicit approval. This adds an extra layer of security when working with unfamiliar code. + +* Configure [allowed extensions in VS Code](/docs/setup/enterprise.md#configure-allowed-extensions) to enforce which extensions are allowed to be used in your organization. From f68dbbf4588ed2363d168d33f8a55c51022c9219 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Fri, 10 Jan 2025 14:39:49 +0100 Subject: [PATCH 5/7] Update sitemap --- build/sitemap.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build/sitemap.xml b/build/sitemap.xml index 3d90c39dd0..8676372625 100644 --- a/build/sitemap.xml +++ b/build/sitemap.xml @@ -215,6 +215,11 @@ weekly 0.8 + + https://code.visualstudio.com/docs/editor/extension-runtime-security + weekly + 0.8 + https://code.visualstudio.com/docs/editor/intellisense weekly From 5ff7f8e4c0bff6172ba07c500eefa186272f5c99 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:59:05 +0100 Subject: [PATCH 6/7] Include extension publisher trust dialog --- docs/editor/extension-marketplace.md | 9 ++++++++- docs/editor/extension-runtime-security.md | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/editor/extension-marketplace.md b/docs/editor/extension-marketplace.md index dac2027d96..a3f892dc81 100644 --- a/docs/editor/extension-marketplace.md +++ b/docs/editor/extension-marketplace.md @@ -30,6 +30,9 @@ Each extension in the list includes a brief description, the publisher, the down To install an extension, select the **Install** button. Once the installation is complete, the **Install** button will change to the **Manage** gear button. +> [!IMPORTANT] +> Extensions have the same permissions as VS Code itself. As of VS Code release 1.97, when you first install an extension from a third-party publisher, VS Code shows a dialog prompting you to confirm that you trust the extension publisher. Get more information about [extension runtime security](/docs/editor/extension-runtime-security.md) and how to protect yourself from malicious extensions. + If you want to install a specific version of an extension, right-click the extension and select **Install Another Version**. You can then select a version from the available list. When [Settings Sync](/docs/editor/settings-sync.md) is enabled, you can share your VS Code configurations, such as extensions, across your machines. To install an extension and not sync it across your machines, right-click the extension and select **Install (Do not Sync)**. @@ -354,7 +357,11 @@ The **Show Recommended Extensions** command is always available if you want to s ### Can I trust extensions from the Marketplace? -The Visual Studio Marketplace employs several measures to protect you from malicious extensions and you can also perform various steps to determine if an extension is reliable before installing it. Get more information about [extension runtime security](/docs/editor/extension-runtime-security.md). +The Visual Studio Marketplace employs several measures to protect you from malicious extensions and you can also perform various steps to determine if an extension is reliable before installing it. + +As of VS Code release 1.97, when you first install an extension from a third-party publisher, VS Code shows a dialog prompting you to confirm that you trust the extension publisher. + +Get more information about [extension runtime security](/docs/editor/extension-runtime-security.md). ### The extension signature cannot be verified by VS Code diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md index d6dcaa3fca..3863cddb7b 100644 --- a/docs/editor/extension-runtime-security.md +++ b/docs/editor/extension-runtime-security.md @@ -10,7 +10,7 @@ MetaDescription: Learn about the security measures in place for Visual Studio Co # Extension runtime security -[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode) has many ways to protect you from bad extensions. You can check if an extension is safe before you install it. +[Extensions](/docs/editor/extension-marketplace.md) greatly enhance the functionality of Visual Studio Code. They can also introduce risks, such as malicious code execution and data privacy concerns. The [Visual Studio Marketplace](https://marketplace.visualstudio.com/vscode) has many ways to protect you from bad extensions. In addition, VS Code gives you several indicators of an extension's reliability. This document outlines the runtime permissions of extensions in VS Code and the measures in place to protect you from malicious extensions. You'll learn how to make an informed decision about the reliability of an extension before installing it. @@ -20,6 +20,14 @@ The [extension host](/api/advanced-topics/extension-host.md) is responsible for For example, an extension can read and write files on your machine, make network requests, run external processes, and modify workspace settings. +## Extension publisher trust + +As of VS Code release 1.97, when you first install an extension from a third-party publisher, VS Code shows a dialog prompting you to confirm that you trust the publisher of that extension. + +The list of trusted publishers is maintained in the `setting(extensions.trustedPublishers)` user setting. + +Publishers for extensions that you installed previously are considered trusted and are automatically added to the list of trusted publishers. You can also manually edit the list of trusted publishers. + ## Determine extension reliability Before you install an extension, you can take various steps to determine if it's reliable. The Visual Studio Marketplace provides you with information about the extension to help you make an informed decision: From c2dcca94f2f1f250371b3a18d2a21fbf4f5a0ce0 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:58:32 +0100 Subject: [PATCH 7/7] Update editing list of trusted publishers --- docs/editor/extension-runtime-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/editor/extension-runtime-security.md b/docs/editor/extension-runtime-security.md index 3863cddb7b..30d2c38695 100644 --- a/docs/editor/extension-runtime-security.md +++ b/docs/editor/extension-runtime-security.md @@ -26,7 +26,7 @@ As of VS Code release 1.97, when you first install an extension from a third-par The list of trusted publishers is maintained in the `setting(extensions.trustedPublishers)` user setting. -Publishers for extensions that you installed previously are considered trusted and are automatically added to the list of trusted publishers. You can also manually edit the list of trusted publishers. +Publishers for extensions that you installed previously are considered trusted and are automatically added to the list of trusted publishers. You can also edit the list of trusted publishers by modifying the setting. ## Determine extension reliability