Skip to content

Security: SLaks/Rebracer

Security

Security.md

#Threat model Users may open a solution with a malicious Rebracer settings as part of a Visual Studio solution from the internet, without expecting any kind of security risk. In short, opening a Visual Studio solution should not have any adverse side-effects that extend beyond the solution itself. It's find for a solution to have weird settings that only affect itself (eg, 128-space-wide indentation); it's not fine for a solution to have settings which affect Windows or execute code.

There are subtle information disclosure issues here. If a user opens a hostile solution from a UNC path (so that attackers can observe changes to the settings file as it's written over the network), the attacker can include a Rebracer settings file that defines every supported category but has no properties defined. When the user saves the settings file, the attacker will see the present values of all settings from before the solution was opened. As far as I know, there are no Visual Studio settings that can hold confidential information, so there is no danger here.

There aren’t any published security advisories