[security] OS-level readwrite sandboxing for filesystem readwrites

[zm-cttae]

Problem statement

• As VS Code ecosystem stakeholders, we need to get the Node.js userland secure
• This makes users feel safer per [Feature Request] Extension Permissions, Security Sandboxing & Update Management Proposal #52116
• This also lets marketplace and core team focus on more productive beneficial work

This feature request is part of an "epic" suggestion in #52116 (comment)
This feature request also replaces (supersedes) #174715

Proposed solution

An OS level transparent sandbox makes more sense (like Chromium does), as it won't require changing the code completely if it doesn't access anything it is not supposed to, or just add the small amount of additional stuff it does need.

Implementation details

This will prevent extensions from modifying system files and other files with semi-locked or locked chmod permissions.

Changes would apply to require("fs") and vscode.workspace.fs.
That way we could officially use /c/Program Files or /usr/bin with native APIs.

Proposed changeset

• Ban vscode API readwrite access outside VS Code specific folders.
• At system level, ban fs readwrite access outside VS Code specific folders.
• Allowlist /c/Program* or /usr/bin (XDG programs) for file I/O ops.
• Allowlist %USERPROFILE%/Documents or ~/documents (XDG documents) for file I/O ops.
• Allowlist %ALLUSERSPROFILE% or ~/public (XDG publicshare) for file I/O ops.
• Test that file I/O restrictions apply equally to VS Code and Node.js APIs.
• Pentest in Docker container per Document the security model of VSCode Remote Development vscode-remote-release#6608.

[VSCodeTriageBot]

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 20 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

[VSCodeTriageBot]

This feature request has not yet received the 20 community upvotes it takes to make to our backlog. 10 days to go. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

[zm-cttae]

Added a proposed changeset now that this has 20 upvotes! 🥳🎉 please critique or add suggestions

[dudicoco]

What about network access restrictions?

[zm-cttae]

Interesting. Do you have any user story or problem statement there?

[dudicoco]

@zm-cttae yes, an extension could perform malicious actions using network calls:

1. download a malicious file and run it
2. send your code over to a malicious actor

[VSCodeTriageBot]

We closed this issue because we don't plan to address it in the foreseeable future. If you disagree and feel that this issue is crucial: we are happy to listen and to reconsider.

If you wonder what we are up to, please see our roadmap and issue reporting guidelines.

Thanks for your understanding, and happy coding!