When you run VS Code, it spins up a local language server that is capable of making code changes. That is how refactoring python works in many editors (including VS Code).
A website that you're browsing could potentially send requests to this server asking for code to be inserted that fully compromises your device. What keeps us safe?
- maybe the website is only allowed to send GET requests, not PUT requests, and maybe the language servers that you're using are all "hardened" so that they will never permit mutations via any get requests, and never have a misconfigured CORS header
- the website has to guess the correct port and the correct language server with a known vulnerability
- any website doing this on a large scale would likely get the language server patched and the website on a block list
- there might be other safeguards that I'm not familiar with. For example, I believe that Chrome disallows this by default
So now, here's my frustration: these two statements seem hugely at odds with each other:
> I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
> (i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
I'm ok with a person who makes either statement. I'm also ok with a person who makes the first statement, and also wants their LAN locked down. However, I do not feel as though the a LAN ever needs to be locked down unless a person in running a server on the LAN network. Personal devices (like laptops and phones) are plenty capable of resisting malicious networks by default (coffee shops, university wifi, etc). What else is on a LAN?
> mind virus it's the paranoia all security people get
I generally agree with you, but I feel as though I am the one who has accepted that personal laptops need to handle malicious networks, and I'm generally comfortable with that. I don't worry too much about putting IoT devices on the same network as my personal laptop, nor about connecting to coffee shop wifis.
When you run VS Code, it spins up a local language server that is capable of making code changes. That is how refactoring python works in many editors (including VS Code).
A website that you're browsing could potentially send requests to this server asking for code to be inserted that fully compromises your device. What keeps us safe?
- maybe the website is only allowed to send GET requests, not PUT requests, and maybe the language servers that you're using are all "hardened" so that they will never permit mutations via any get requests, and never have a misconfigured CORS header
- the website has to guess the correct port and the correct language server with a known vulnerability
- any website doing this on a large scale would likely get the language server patched and the website on a block list
- there might be other safeguards that I'm not familiar with. For example, I believe that Chrome disallows this by default
So now, here's my frustration: these two statements seem hugely at odds with each other:
> I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
> (i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
I'm ok with a person who makes either statement. I'm also ok with a person who makes the first statement, and also wants their LAN locked down. However, I do not feel as though the a LAN ever needs to be locked down unless a person in running a server on the LAN network. Personal devices (like laptops and phones) are plenty capable of resisting malicious networks by default (coffee shops, university wifi, etc). What else is on a LAN?
> mind virus it's the paranoia all security people get
I generally agree with you, but I feel as though I am the one who has accepted that personal laptops need to handle malicious networks, and I'm generally comfortable with that. I don't worry too much about putting IoT devices on the same network as my personal laptop, nor about connecting to coffee shop wifis.