fix(editor): don't allow oxc.path.server for untrusted workspaces
#13734
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
How to use the Graphite Merge QueueAdd either label to this PR to merge it via the merge queue:
You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
Sysix
force-pushed
the
09-12-fix_editor_don_t_allow_oxc.path.server_for_untrusted_workspaces
branch
2 times, most recently
from
18e323c to
1ce2a0d
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security by restricting the use of custom language server paths in untrusted workspaces. It prevents potential execution of malicious executables when opening projects with custom oxc.path.server configurations.
Key changes:
- Adds VS Code workspace trust capabilities to restrict
oxc.path.serverconfiguration in untrusted workspaces - Implements runtime check to only use custom server binaries when workspace is trusted
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| editors/vscode/package.json | Adds untrusted workspace capabilities configuration to restrict oxc.path.server setting |
| editors/vscode/client/extension.ts | Adds workspace trust check before using custom server binary path |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
This was referenced Sep 13, 2025
camc314
approved these changes
Sep 15, 2025
Contributor
Merge activity
|
…13734) Opening a project with a custom `oxc.path.server` could run another executable then the extensions wants. Will work on further optimization. https://code.visualstudio.com/docs/editing/workspaces/workspace-trust
graphite-app
bot
force-pushed
the
09-12-fix_editor_don_t_allow_oxc.path.server_for_untrusted_workspaces
branch
from
1ce2a0d to
8fa6227
Compare
graphite-app
bot
deleted the
09-12-fix_editor_don_t_allow_oxc.path.server_for_untrusted_workspaces
branch
graphite-app bot
pushed a commit
that referenced
this pull request
Sep 15, 2025
A project can have a custom `settings.json` which paths like:
```
{
"oxc.path.server": "/usr/known-other-library",
"oxc.path.server": "../../outside-of-the-trusted-workspace",
"oxc.path.server": "oxc_language_server|cat /etc/passwd"
}
```
Even if the user has trusted the workspace in #13734, "unexpected" changes in a project can happen :)
Absolute files are allowed. For that, the binary should have `oxc_language_server` in the name, so the extension will not call another binary
This was referenced Sep 16, 2025
camc314
added a commit
that referenced
this pull request
Sep 16, 2025
## [1.16.0] - 2025-09-16 ### 🚀 Features - 97c8d06 linter: Add `preserve-caught-error` rule (#13748) (孔辉) - 8c19b18 linter/exhaustive-deps: Implement fixer for dep in global scope (#13783) (camc314) - 06bce8f linter/exhaustive-deps: Implement fixer for missing dep (#13782) (camc314) - a8675f4 linter: Add eslint/class-methods-use-this rule (#12977) (Peter Cardenas) - db33196 parser: Adds typescript rule for empty argument list (#13730) (Karan Kiri) - 2751193 linter: Add `eslint/no-useless-computed-key` rule (#13428) (yefan) - 9a205d1 regex-parser: Parse simple `TemplateLiterals` (#13265) (Sysix) ### 🐛 Bug Fixes - a2c91cd linter: Drop `rules` to allow mutable access to `ctx_host` in `run_external_rules` (#13832) (camc314) - 3af1e5d linter/no-unsafe-declaration-merging: Always mark first span as primary (#13830) (camc314) - 1c43c7c linter: Keep message when merging composite fixes (#13827) (camc314) - 26af302 linter/exhaustive-deps: Check stable value is on lhs of assignment expr (#13815) (camc314) - 4bc12d0 linter/exhaustive-deps: Remove impossible comparison with parent kind (#13814) (camc314) - 12baf5e linter/exhaustive-deps: Respect primary span when identifying disable directive location (#13781) (camc314) - fa7400a linter/no-undef: False positive with `arguments` in functions (#13763) (camc314) - 50e6e3c editor: Restrict servers paths for `oxc.path.server` (#13740) (Sysix) - b45077d editor: Strip leading slash for bin path on windows (#13738) (Sysix) - 8fa6227 editor: Don't allow `oxc.path.server` for untrusted workspaces (#13734) (Sysix) - 56da114 linter/react/jsx-handler-names: Do not detect the function name within the inline-function's body block (#13456) (Takuji Shimokawa) - b2bc5b4 linter/react-perf/jsx-no-new-object-as-prop: Skip as/satisfies exprs (#13718) (camc314) - ab51394 raw_transfer: Disable layout assertions on some 32-bit platforms (#13716) (overlookmotel) - 09428f6 linter/plugins: Remove outdated comment (#13691) (overlookmotel) - a294721 linter/plugins: Exit early if JS plugins enabled on unsupported platforms (#13689) (overlookmotel) - 68a2280 linter/plugins: More graceful exit for `--experimental-js-plugins` CLI option (#13688) (overlookmotel) ### 🚜 Refactor - 395d40d linter: Derive inmpls for `PartialEq`, `Eq` over manual ones (#13828) (camc314) - 8e4cd8f linter/func-names: Use `run_once` over looping over all nodes (#13798) (camc314) - 7f4e2fe eslint/func-names: Clean up implementation and improve documentation (#13601) (Antoine Zanardi) - 137896a language_server: Split options for linting and formatting (#13627) (Sysix) - 7346099 linter: Move `oxlint` application code into separate module (#13745) (overlookmotel) - 6dd4107 linter: Remove `#[cfg(test)]` attributes from `tester` module (#13714) (overlookmotel) - c40c6ef linter/plugins: Directory for JS plugins-related code (#13701) (overlookmotel) - a0022c1 linter/plugins: Improve error messages for JS plugins (#13699) (overlookmotel) - 1fd993f napi/oxlint: Rename `napi/oxlint2` to `napi/oxlint` (#13682) (overlookmotel) ### ⚡ Performance - 90c8286 linter: Detect node types from `let..else` statements (#13690) (camchenry) - 08c05df semantic: Make CFG construction a compile-time feature (#13678) (Boshen) ### 🎨 Styling - 99a7638 linter: Add comments + re-organise imports (#13715) (overlookmotel) ### 🧪 Testing - 18a1145 linter: Add debug assertions for skipping rules (#13724) (camc314) - cb080de linter/no-unused-vars: Add test for non ASCII chars in JSX components (#13820) (camc314) - b6eba27 linter/no-undef: Add more test cases for `arguments` (#13764) (camc314) - fb2d087 linter: Set CWD for tests (#13722) (overlookmotel) Co-authored-by: camc314 <18101008+camc314@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Opening a project with a custom
oxc.path.servercould run another executable then the extensions wants.Will work on further optimization.
https://code.visualstudio.com/docs/editing/workspaces/workspace-trust