Impact
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable, leading to arbitrary code execution.
vscode-bazel <= 0.4.0 allow workspace settings to change the path of an executable file used to lint *.bzl files (setting "bazel.buildifierExecutable"). Since the workspace setting can be modified just by dropping a (malicious) JSON config file into a folder, it's possible to execute arbitrary executables from malicious folders this way.
Patches
The problem has been patched in vscode-bazel 0.4.1. We recommend upgrading to version 0.4.1 or above.
For more information
Thanks to @Ry0taK for finding, reporting this vulnerability responsibly and helping us patch it!
If you have any questions or comments about this advisory:
Impact
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable, leading to arbitrary code execution.
vscode-bazel <= 0.4.0 allow workspace settings to change the path of an executable file used to lint *.bzl files (setting "bazel.buildifierExecutable"). Since the workspace setting can be modified just by dropping a (malicious) JSON config file into a folder, it's possible to execute arbitrary executables from malicious folders this way.
Patches
The problem has been patched in vscode-bazel 0.4.1. We recommend upgrading to version 0.4.1 or above.
For more information
Thanks to @Ry0taK for finding, reporting this vulnerability responsibly and helping us patch it!
If you have any questions or comments about this advisory: