Visual Studio Code v1.57 thrown out in may 2021 with a new function of “Confidence in the workspace”. This is a security mechanism that helps you avoid accidental code execution when you cannot trust the sources of a repository.
Confidence in the workspace is active by default. When I open a new folder, Code will display a dialog box asking you to trust the files it contains. If you say yes, the editor will work regularly. If you press no, Code will enter a new “restricted mode” with reduced functionality.
What is disabled in restricted mode?
Restricted mode is intended to prevent untrusted code from being executed. Visual Studio features that run files will be disabled to help protect against threats that you have not fully examined.
Debugging functions are disabled, which prevents you from accidentally launching a downloaded executable. Additionally Visual Studio will disable the tasks defined in the workspace file. Tasks in a .vscode The file can run binaries and scripts, so a repository containing one is a security risk.
Any user extensions that can execute code will be disabled or placed in a limited functionality state. Some workspace settings may also be overridden to limit the scope of downloaded files. .vscode records.
Using restricted mode enables you to inspect critical parts of a newly downloaded project. You have the ability to verify that there are no suspicious behaviors, without risking the actual execution of the code. Once you get out of restricted mode, your usual settings will be applied and debugging will be reactivated.
When Workspace Trust is enabled, you will see a message every time you open a new folder in an untrusted location. You will need to select whether you want to enable all functions or open the workspace in restricted mode.
Why bother?
Visual Studio Code has become a powerful code editor compatible with hundreds of extensions. Many of these third-party tools run automatically and are added to your workspace configuration file. This file is often compromised with source code control, so it can be shared with team members.
It is conceivable that a bad crafty actor could create a repository that looks genuine but executes malicious code when loaded into the editor.. Workspace Trust is an answer to this opportunity. Gives you added security when inspecting open source software and other code received from third parties.
Deactivating trust in the workspace
Workspace Trust helps you avoid potentially dangerous inadvertent code executions. Using the feature gives you an additional layer of defense against unknown repositories. However, prompts may be annoying if you regularly consume code from new sources.
You can disable Workspace Trust completely by setting the security.workspace.trust.enabled fit to false. You can find this in the user interface by clicking File> preferences> Setup and searching “trust in the workspace”. The checkbox will be displayed as “Security> Work space> Confidence: Enabled”. If you just want a one-time release without the Workspace Trust, add the --disable-workspace-trust command line flag.
Personalizing workspace trust
Workspace Trust offers some settings to allow you to adjust its behavior. Use the procedure previously described to view the Workspace Trust settings in the user interface.
“Empty window” control what happens when you're using a window with no folders open. When the checkbox is filled, the window will be treated as trusted by default. Opposite case, you will need to manually trust it like a normal folder.
The configuration “Untrusted files” sets what happens if File> Open a file from an untrusted location while in a trusted window. The default behavior is to warn before continuing. You can change this to always open the file or force it into a new window that is automatically untrusted.
Other settings allow you to override the way extensions respond to the Workspace Trust. This must be configured manually on your settings.json proceedings. Add a extensions.supportUntrustedWorkspaces key with a JSON object as its value. Add extension IDs as keys in this object. Each extension can have true, limited O false as its value.
{
"extensions": {
"supportUntrustedWorkspaces": {
"my-extension": true
}
}
}
An extension listed as true Will forever be enabled, even in an untrusted workspace. Extensions with false will only load into trusted workspaces. limited Extensions will be added to untrusted workspaces, but with functionality “reliable” Disabled. You will not be able to use the tasks provided by these extensions.
Manage trusted folders
You can view and manage the folders that you have marked as trusted from Visual Studio Code. Presione Ctrl + Shift + P to open the command palette. I searched “trust in the workspace” and select the item “Workspaces: Manage workspace trust” on the menu.
This screen shows the trust status of your current window. You can switch to restricted mode by pressing “Don't trust”. Alternatively, Press the button “Trust” to enable all features if you are currently in a restricted state.
The section “Trusted folders and workspaces” lists all directories that you have marked as trusted. You can revoke the trust of a location by clicking on it and pressing the Remove button “X” on the right.
All subdirectories inherit the trust. Trust a top-level folder like /home/me/projects it will mean all your repositories are trusted automatically. This compromises the effectiveness of the Workspace Trust system..
Conclution
Workspace Trust is a promising new security protection for Visual Studio Code users. The dangers of unintentional code execution by IDEs are just beginning to gain visibility. Although some may find confidence prompts frustrating, could help protect your machine from dangerous sources.
You are unlikely to want a workspace to stay in restricted mode for a long time. Even though you can still view and edit files, you will lose many of the more powerful features of Visual Studio Code. It is better to check the executables, create scripts and .vscode files in a repository, check for hazards and then trust the location once you are sure it will behave as expected.
