Skip to content

Commit

Permalink
Allow to disable UNC access restrictions (fix #182055) (#182755)
Browse files Browse the repository at this point in the history
  • Loading branch information
bpasero authored May 17, 2023
1 parent 578c3f0 commit b4a2a00
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 9 deletions.
6 changes: 6 additions & 0 deletions src/vs/base/node/unc.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,9 @@ export function getUNCHostAllowlist(): string[];
* Adds one to many UNC host(s) to the allowed list in node.js.
*/
export function addUNCHostToAllowlist(allowedHost: string | string[]): void;

/**
* Disables UNC Host allow list in node.js and thus disables UNC
* path validation.
*/
export function disableUNCAccessRestrictions(): void;
11 changes: 10 additions & 1 deletion src/vs/base/node/unc.js
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,19 @@
return host;
}

function disableUNCAccessRestrictions() {
if (process.platform !== 'win32') {
return;
}

process.enableUNCAccessChecks = false;
}

return {
getUNCHostAllowlist,
addUNCHostToAllowlist,
getUNCHost
getUNCHost,
disableUNCAccessRestrictions
};
}

Expand Down
8 changes: 6 additions & 2 deletions src/vs/code/electron-main/app.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
*--------------------------------------------------------------------------------------------*/

import { app, BrowserWindow, dialog, protocol, session, Session, systemPreferences, WebFrameMain } from 'electron';
import { addUNCHostToAllowlist } from 'vs/base/node/unc';
import { addUNCHostToAllowlist, disableUNCAccessRestrictions } from 'vs/base/node/unc';
import { validatedIpcMain } from 'vs/base/parts/ipc/electron-main/ipcMain';
import { hostname, release } from 'os';
import { VSBuffer } from 'vs/base/common/buffer';
Expand Down Expand Up @@ -320,7 +320,11 @@ export class CodeApplication extends Disposable {
//#region UNC Host Allowlist (Windows)

if (isWindows) {
addUNCHostToAllowlist(this.configurationService.getValue('security.allowedUNCHosts'));
if (this.configurationService.getValue('security.restrictUNCAccess') === false) {
disableUNCAccessRestrictions();
} else {
addUNCHostToAllowlist(this.configurationService.getValue('security.allowedUNCHosts'));
}
}

//#endregion
Expand Down
8 changes: 6 additions & 2 deletions src/vs/server/node/remoteExtensionHostAgentCli.ts
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ import { ExtensionsProfileScannerService } from 'vs/platform/extensionManagement
import { LogService } from 'vs/platform/log/common/logService';
import { LoggerService } from 'vs/platform/log/node/loggerService';
import { localize } from 'vs/nls';
import { addUNCHostToAllowlist } from 'vs/base/node/unc';
import { addUNCHostToAllowlist, disableUNCAccessRestrictions } from 'vs/base/node/unc';

class CliMain extends Disposable {

Expand All @@ -72,7 +72,11 @@ class CliMain extends Disposable {

// On Windows, configure the UNC allow list based on settings
if (isWindows) {
addUNCHostToAllowlist(configurationService.getValue('security.allowedUNCHosts'));
if (configurationService.getValue('security.restrictUNCAccess') === false) {
disableUNCAccessRestrictions();
} else {
addUNCHostToAllowlist(configurationService.getValue('security.allowedUNCHosts'));
}
}

try {
Expand Down
8 changes: 6 additions & 2 deletions src/vs/server/node/remoteExtensionHostAgentServer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import { createRegExp, escapeRegExpCharacters } from 'vs/base/common/strings';
import { URI } from 'vs/base/common/uri';
import { generateUuid } from 'vs/base/common/uuid';
import { findFreePort } from 'vs/base/node/ports';
import { addUNCHostToAllowlist } from 'vs/base/node/unc';
import { addUNCHostToAllowlist, disableUNCAccessRestrictions } from 'vs/base/node/unc';
import { PersistentProtocol } from 'vs/base/parts/ipc/common/ipc.net';
import { NodeSocket, WebSocketNodeSocket } from 'vs/base/parts/ipc/node/ipc.net';
import { IConfigurationService } from 'vs/platform/configuration/common/configuration';
Expand Down Expand Up @@ -719,7 +719,11 @@ export async function createServer(address: string | net.AddressInfo | null, arg
const configurationService = accessor.get(IConfigurationService);

if (platform.isWindows) {
addUNCHostToAllowlist(configurationService.getValue('security.allowedUNCHosts'));
if (configurationService.getValue('security.restrictUNCAccess') === false) {
disableUNCAccessRestrictions();
} else {
addUNCHostToAllowlist(configurationService.getValue('security.allowedUNCHosts'));
}
}
});

Expand Down
7 changes: 7 additions & 0 deletions src/vs/workbench/browser/workbench.contribution.ts
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,13 @@ const registry = Registry.as<IConfigurationRegistry>(ConfigurationExtensions.Con
'markdownDescription': localize('security.allowedUNCHosts', 'A set of UNC host names (without leading or trailing backslash, for example `192.168.0.1` or `my-server`) to allow without user confirmation. If a UNC host is being accessed that is not allowed via this setting or has not been acknowledged via user confirmation, an error will occur and the operation stopped. A restart is required when changing this setting. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
'included': isWeb ? true /* web maybe connected to a windows machine */ : isWindows,
'scope': ConfigurationScope.MACHINE
},
'security.restrictUNCAccess': {
'type': 'boolean',
'default': true,
'markdownDescription': localize('security.restrictUNCAccess', 'If enabled, only allowes access to UNC host names that are allowed by the `#security.allowedUNCHosts#` setting or after user confirmation. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
'included': isWeb ? true /* web maybe connected to a windows machine */ : isWindows,
'scope': ConfigurationScope.MACHINE
}
}
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ interface IConfiguration extends IWindowsConfiguration {
update?: { mode?: string };
debug?: { console?: { wordWrap?: boolean } };
editor?: { accessibilitySupport?: 'on' | 'off' | 'auto' };
security?: { workspace?: { trust?: { enabled?: boolean } } };
security?: { workspace?: { trust?: { enabled?: boolean } }; restrictUNCAccess?: boolean };
window: IWindowSettings & { experimental?: { windowControlsOverlay?: { enabled?: boolean } } };
workbench?: { enableExperiments?: boolean };
_extensionsGallery?: { enablePPE?: boolean };
Expand All @@ -43,7 +43,8 @@ export class SettingsChangeRelauncher extends Disposable implements IWorkbenchCo
'editor.accessibilitySupport',
'security.workspace.trust.enabled',
'workbench.enableExperiments',
'_extensionsGallery.enablePPE'
'_extensionsGallery.enablePPE',
'security.restrictUNCAccess'
];

private readonly titleBarStyle = new ChangeObserver<'native' | 'custom'>('string');
Expand All @@ -56,6 +57,7 @@ export class SettingsChangeRelauncher extends Disposable implements IWorkbenchCo
private readonly workspaceTrustEnabled = new ChangeObserver('boolean');
private readonly experimentsEnabled = new ChangeObserver('boolean');
private readonly enablePPEExtensionsGallery = new ChangeObserver('boolean');
private readonly restrictUNCAccess = new ChangeObserver('boolean');

constructor(
@IHostService private readonly hostService: IHostService,
Expand Down Expand Up @@ -112,6 +114,9 @@ export class SettingsChangeRelauncher extends Disposable implements IWorkbenchCo

// Workspace trust
processChanged(this.workspaceTrustEnabled.handleChange(config?.security?.workspace?.trust?.enabled));

// UNC host access restrictions
processChanged(this.restrictUNCAccess.handleChange(config?.security?.restrictUNCAccess));
}

// Experiments
Expand Down

0 comments on commit b4a2a00

Please sign in to comment.