Skip to content

fix(security): address VS Code extension vulnerabilities — prototype pollution, token exposure, ReDoS, missing CSP#489

Merged
imran-siddique merged 5 commits intomicrosoft:mainfrom
imran-siddique:fix/vscode-security-issues
Mar 28, 2026
Merged

fix(security): address VS Code extension vulnerabilities — prototype pollution, token exposure, ReDoS, missing CSP#489
imran-siddique merged 5 commits intomicrosoft:mainfrom
imran-siddique:fix/vscode-security-issues

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Mar 28, 2026

Fixes 5 security issues reported in #486, #487, #488.

Issue Severity Fix
Prototype pollution via Object.assign HIGH Property allowlist on _updateNode
OAuth token in plaintext globalState HIGH Migrated to VS Code SecretStorage API
ReDoS via custom policy regex MEDIUM safeRegExp() validator rejects dangerous patterns
Missing CSP on 5 webview panels MEDIUM Added nonce-based CSP meta tags
Dead code (policyCompletion.ts) LOW Deleted 361 unused lines

TypeScript compiles cleanly.

Closes #486, Closes #487, Closes #488

imran-siddique and others added 3 commits March 27, 2026 15:17
@imran-siddique
fix: npm build failures + NuGet publish via NuGetCommand
6ab05fa 
- mcp-proxy: shebang must be line 1 (TS18026)
- copilot, mcp-server: typescript ^6.0.2 → ^5.7.0 (eslint <6.0.0)
- NuGet: replace ESRP Sign+Release with NuGetCommand@2 push
  via NuGet.org service connection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique
Merge branch 'main' of https://github.com/microsoft/agent-governance-…
553d921 
…toolkit
@imran-siddique
fix(security): address 5 VS Code extension vulnerabilities (microsoft…
e51eb0e 
…#486, microsoft#487, microsoft#488)

Prototype pollution (HIGH):
- WorkflowDesignerPanel._updateNode() now uses property allowlist
  instead of Object.assign — blocks __proto__/constructor injection

OAuth token exposure (HIGH):
- ssoProvider stores tokens in VS Code SecretStorage (encrypted)
  instead of globalState (plaintext JSON on disk)
- _loadState() restores tokens from secrets, _saveState() strips them

ReDoS via custom policy regex (MEDIUM):
- Added safeRegExp() that rejects patterns with known catastrophic
  backtracking constructs before compilation
- Invalid patterns are skipped with warning, not compiled

Missing CSP on 5 webview panels (MEDIUM):
- Added Content-Security-Policy meta tags with nonce-based script-src
  to WorkflowDesigner, PolicyEditor, MetricsDashboard, Onboarding,
  and CMVK panel in extension.ts

Dead code removal (LOW):
- Deleted policyCompletion.ts (361 lines, unused, superseded by
  language/completionProvider.ts)

Closes microsoft#486, Closes microsoft#487, Closes microsoft#488

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot added the size/XL Extra large PR (500+ lines) label Mar 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026
edited
Loading

🤖 AI Agent: security-scanner — Security Review of Pull Request: microsoft/agent-governance-toolkit

Security Review of Pull Request: microsoft/agent-governance-toolkit

1. Prompt Injection Defense Bypass

  • Finding: The changes do not explicitly address prompt injection vulnerabilities.
  • Severity: 🟠 HIGH
  • Attack Vector: If user inputs are not properly sanitized or validated, an attacker could craft inputs that manipulate the behavior of the AI agent, leading to unintended actions or information disclosure.
  • Suggested Fix: Implement strict input validation and sanitization for all user inputs. Consider using libraries that specialize in input validation to mitigate this risk.

2. Policy Engine Circumvention

  • Finding: The fix for prototype pollution via Object.assign is a step in the right direction, but the overall policy enforcement mechanism needs a thorough review.
  • Severity: 🟠 HIGH
  • Attack Vector: If the policy engine can be manipulated through prototype pollution or other means, it may allow users to bypass security policies.
  • Suggested Fix: Conduct a comprehensive audit of the policy engine to ensure that all inputs are validated and that the policy checks are robust against manipulation.

3. Trust Chain Weaknesses

  • Finding: No specific mention of SPIFFE/SVID validation or certificate pinning in the changes.
  • Severity: 🟡 MEDIUM
  • Attack Vector: Weaknesses in the trust chain could allow attackers to impersonate trusted entities, leading to unauthorized access.
  • Suggested Fix: Ensure that all certificates are validated properly and implement certificate pinning where applicable to strengthen the trust chain.

4. Credential Exposure

  • Finding: The migration to the VS Code SecretStorage API is a positive change, but it’s essential to ensure that no sensitive information is logged or exposed.
  • Severity: 🟠 HIGH
  • Attack Vector: If OAuth tokens or other credentials are logged in plaintext, they can be exploited by attackers.
  • Suggested Fix: Review all logging mechanisms to ensure that sensitive information is never logged. Implement logging best practices to redact sensitive data.

5. Sandbox Escape

  • Finding: No specific changes related to sandboxing or process isolation were mentioned.
  • Severity: 🟡 MEDIUM
  • Attack Vector: If the extension runs in a less secure environment, it may be possible for an attacker to escape the sandbox and execute arbitrary code.
  • Suggested Fix: Review the sandboxing mechanisms in place and ensure that they are configured correctly. Consider using more restrictive permissions for the extension.

6. Deserialization Attacks

  • Finding: The changes do not address potential deserialization vulnerabilities.
  • Severity: 🟡 MEDIUM
  • Attack Vector: If user input is deserialized without proper validation, it could lead to remote code execution or data tampering.
  • Suggested Fix: Implement safe deserialization practices, such as using libraries that enforce strict type checks and validation.

7. Race Conditions

  • Finding: No specific mention of concurrent access issues or race conditions in policy checks.
  • Severity: 🟡 MEDIUM
  • Attack Vector: If multiple processes can access shared resources without proper synchronization, it could lead to inconsistent policy evaluations.
  • Suggested Fix: Review the code for potential race conditions and implement locking mechanisms or other concurrency controls as necessary.

8. Supply Chain Weaknesses

  • Finding: The addition of new dependencies (e.g., axios, @azure/*) raises concerns about dependency confusion and typosquatting.
  • Severity: 🟠 HIGH
  • Attack Vector: If malicious packages are introduced through dependency confusion or typosquatting, it could compromise the security of the toolkit.
  • Suggested Fix: Use tools like npm audit and snyk to regularly check for vulnerabilities in dependencies. Consider using a lockfile to ensure consistent dependency versions.

Summary

The pull request addresses several critical security issues, particularly around credential management and prototype pollution. However, there are still significant concerns regarding prompt injection, policy circumvention, and supply chain vulnerabilities that need to be addressed to ensure the security integrity of the agent governance toolkit.

github-actions[bot]
github-actions bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request addresses several critical security vulnerabilities in the VS Code extension of the microsoft/agent-governance-toolkit repository. The fixes include addressing prototype pollution, securing OAuth tokens, mitigating ReDoS attacks, adding a Content Security Policy (CSP) to webviews, and removing dead code. While the fixes are a step in the right direction, there are some areas that require further scrutiny and improvement.

🔴 CRITICAL Issues

  1. Prototype Pollution Mitigation

    • Issue: The fix for prototype pollution involves adding a property allowlist in _updateNode. However, the implementation details are not shown in the diff. If the allowlist is not comprehensive or if there are other entry points for untrusted input, the vulnerability may persist.
    • Action: Ensure that the allowlist is exhaustive and that all potential entry points for untrusted input are addressed. Add unit tests to verify that the allowlist prevents prototype pollution.

  2. OAuth Token Handling

    • Issue: While migrating to the VS Code SecretStorage API is a good step, there is no evidence in the diff that the migration has been fully implemented and tested. Additionally, there is no mention of how existing plaintext tokens are being securely migrated to the new storage mechanism.
    • Action: Verify that the migration to SecretStorage is complete and that existing tokens are securely migrated. Add tests to ensure tokens are securely stored and retrieved.

  3. ReDoS Mitigation

    • Issue: The safeRegExp() validator is mentioned as a fix for ReDoS vulnerabilities, but the implementation is not visible in the diff. Without seeing the implementation, it is unclear whether the validator is robust enough to handle all edge cases.
    • Action: Review the safeRegExp() implementation to ensure it effectively mitigates ReDoS attacks. Add tests with known ReDoS patterns to validate its effectiveness.

  4. Content Security Policy (CSP)

    • Issue: Adding nonce-based CSP meta tags is a good step, but there is no evidence in the diff that the CSP is being dynamically generated with unique nonces for each webview instance. A static nonce would not provide adequate protection.
    • Action: Verify that the CSP implementation generates unique nonces for each webview instance. Add tests to ensure that the CSP is applied correctly and that it blocks inline scripts without the correct nonce.

🟡 Warnings

  1. Potential Breaking Changes

    • Issue: Migrating OAuth tokens to the SecretStorage API could potentially break existing functionality if not handled carefully, especially if users have existing tokens stored in plaintext.
    • Action: Document the migration process clearly for users. Provide a fallback mechanism or a migration script to ensure a smooth transition.

  2. Dependency Updates

    • Issue: The package-lock.json file shows updates to multiple dependencies, including major version bumps (e.g., @typescript-eslint/eslint-plugin to 6.21.0). These updates could introduce breaking changes.
    • Action: Review the changelogs of updated dependencies to ensure compatibility with the current codebase. Run comprehensive tests to verify that the updates do not introduce regressions.

💡 Suggestions

  1. Dead Code Removal

    • Suggestion: While removing policyCompletion.ts is a good step, ensure that this file is not being used indirectly or in any legacy workflows. Add a note in the PR description about how this was verified.

  2. Documentation

    • Suggestion: Update the documentation to reflect the changes made in this PR, especially for the migration to SecretStorage and the addition of CSP.

  3. Testing

    • Suggestion: Add unit and integration tests for all the fixes implemented in this PR. Specifically:
      • Tests for the safeRegExp() validator with both safe and malicious regex patterns.
      • Tests for the CSP implementation to ensure it blocks inline scripts and only allows scripts with the correct nonce.
      • Tests for the SecretStorage API to ensure tokens are securely stored and retrieved.

  4. Code Review

    • Suggestion: Provide a more detailed description of the changes made in the PR, especially for critical fixes like prototype pollution and ReDoS mitigation. This will help reviewers understand the scope and effectiveness of the fixes.

  5. Security Audit

    • Suggestion: Consider conducting a security audit of the entire VS Code extension to identify any other potential vulnerabilities.

Conclusion

The PR addresses critical security vulnerabilities, but the lack of visibility into the implementation details and the absence of tests make it difficult to fully assess the effectiveness of the fixes. Addressing the critical issues and warnings outlined above will help ensure the robustness and security of the changes.

@imran-siddique imran-siddique enabled auto-merge (squash) March 28, 2026 02:11
@imran-siddique imran-siddique disabled auto-merge March 28, 2026 16:12
@imran-siddique imran-siddique mentioned this pull request Mar 28, 2026
Closed
github-actions[bot]
github-actions bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request addresses critical security vulnerabilities in the VS Code extension of the microsoft/agent-governance-toolkit repository. The fixes include resolving prototype pollution, securing OAuth tokens, mitigating ReDoS vulnerabilities, implementing a Content Security Policy (CSP), and removing dead code. While the fixes address significant security concerns, there are some areas that require further review and improvement.

🔴 CRITICAL

  1. Prototype Pollution Fix

    • The fix for prototype pollution involves adding a property allowlist in _updateNode. However, the PR does not include the actual implementation of this fix in the diff provided. Ensure that:
      • The allowlist is comprehensive and explicitly defines all allowed properties.
      • The implementation prevents prototype pollution by rejecting any unexpected or malicious properties.
      • Add unit tests to verify that the allowlist works as intended and that no prototype pollution is possible.

  2. OAuth Token Storage

    • The migration to the VS Code SecretStorage API is a good step forward. However:
      • Ensure that the token is encrypted at rest and is only accessible to the extension.
      • Add tests to verify that the token is securely stored and cannot be accessed by unauthorized code.
      • Confirm that the token is not logged or exposed in any debug logs or error messages.

  3. ReDoS Mitigation

    • The safeRegExp() validator is introduced to mitigate ReDoS vulnerabilities. However:
      • The implementation of safeRegExp() is not visible in the diff. Ensure that it properly detects and rejects all potentially catastrophic regular expressions.
      • Add tests to verify that the validator blocks dangerous patterns (e.g., exponential backtracking) while allowing safe ones.

  4. Content Security Policy (CSP)

    • Adding nonce-based CSP meta tags to the webview panels is a good security measure. However:
      • Verify that the CSP is strict enough to prevent XSS attacks. For example:
        • Ensure that script-src only allows scripts with the specified nonce and does not include unsafe directives like unsafe-inline or unsafe-eval.
        • Ensure that object-src is set to 'none' unless explicitly required.
      • Add tests to verify that the CSP is applied correctly to all webview panels.

🟡 WARNING

  1. Dead Code Removal
    • The removal of policyCompletion.ts (361 lines) may cause backward compatibility issues if any other part of the codebase or external integrations depend on it. Verify that:
      • No other parts of the codebase reference the removed file.
      • There are no external dependencies or users relying on this file.
      • If this is a breaking change, document it clearly in the release notes.

💡 SUGGESTIONS

  1. Testing

    • Ensure that comprehensive tests are added for all the fixes, especially for the safeRegExp() validator and the CSP implementation.
    • Consider adding integration tests to verify the end-to-end behavior of the extension after these changes.

  2. Documentation

    • Update the documentation to reflect the changes, especially for the migration to the SecretStorage API. Include instructions for developers on how to use the new API.

  3. Dependency Management

    • The package-lock.json file has been added, but it is unclear if all dependencies are necessary. Review the dependencies to ensure that there are no unused or vulnerable packages.
    • Consider using a tool like npm audit to identify and address any vulnerabilities in the dependencies.

  4. Code Review

    • The diff provided is truncated, making it difficult to review the full implementation of the fixes. Ensure that the complete code changes are reviewed for correctness and security.

  5. Versioning

    • The version has been updated to 1.0.1. Ensure that this version bump aligns with your versioning policy and reflects the changes made in this PR.

Summary of Actions Required

  1. Provide the implementation details for the prototype pollution fix and safeRegExp() validator.
  2. Add unit and integration tests for all fixes.
  3. Review and document the removal of policyCompletion.ts for potential breaking changes.
  4. Verify the security of the CSP implementation and the SecretStorage API usage.
  5. Review the dependency tree for unnecessary or vulnerable packages.
  6. Ensure the version bump aligns with your versioning policy.

Let me know if you need further assistance with any of these points!

github-actions[bot]
github-actions bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review: Security Fixes for VS Code Extension

Summary

This pull request addresses five security vulnerabilities in the VS Code extension of the microsoft/agent-governance-toolkit repository. The fixes include addressing prototype pollution, token exposure, Regular Expression Denial of Service (ReDoS), missing Content Security Policy (CSP), and removal of dead code.

🔴 CRITICAL

  1. Prototype Pollution via Object.assign

    • Issue: The fix involves adding a property allowlist to _updateNode. However, the implementation of the allowlist is not visible in the provided diff.
    • Risk: If the allowlist is not properly implemented or if it misses critical properties, the vulnerability could still be exploited.
    • Action: Ensure that the allowlist implementation is comprehensive and explicitly prevents prototype pollution. Add unit tests to verify that no unintended properties can be added to the object.

  2. OAuth Token in Plaintext globalState

    • Issue: The migration to the VS Code SecretStorage API is a good step. However, the diff does not provide details on how the migration is handled.
    • Risk: If the migration process does not securely transfer existing tokens from globalState to SecretStorage, there is a risk of token leakage.
    • Action: Verify that tokens stored in globalState are securely migrated to SecretStorage and that globalState is cleared afterward. Add tests to confirm this behavior.

  3. ReDoS via Custom Policy Regex

    • Issue: The introduction of a safeRegExp() validator is a good approach. However, the implementation of safeRegExp() is not visible in the diff.
    • Risk: If the validator does not comprehensively detect and reject dangerous patterns, the ReDoS vulnerability may persist.
    • Action: Review the implementation of safeRegExp() to ensure it effectively mitigates ReDoS risks. Add tests with known ReDoS patterns to validate the fix.

  4. Missing CSP on Webview Panels

    • Issue: Adding nonce-based CSP meta tags is a good practice. However, the diff does not show how the nonces are generated and applied.
    • Risk: If nonces are not securely generated or are reused, the CSP could be bypassed.
    • Action: Verify that nonces are generated securely (e.g., using a cryptographically secure random number generator) and are unique for each request. Add tests to ensure CSP headers are correctly applied to all webview panels.

🟡 WARNING

  1. Dead Code Removal
    • Issue: The removal of policyCompletion.ts deletes 361 lines of code. While this is marked as "dead code," it is not clear if this file is used in any indirect way or if its removal could impact backward compatibility.
    • Risk: If this file is referenced in any other part of the codebase or by external consumers, its removal could cause runtime errors or break existing integrations.
    • Action: Confirm that policyCompletion.ts is not referenced anywhere in the codebase or by external dependencies. If it is part of the public API, consider deprecating it first before removal.

💡 SUGGESTIONS

  1. Testing Coverage

    • Add unit and integration tests to validate the fixes for all five issues. Specifically:
      • Test the safeRegExp() function with a variety of safe and unsafe regex patterns.
      • Test the migration of tokens from globalState to SecretStorage to ensure no tokens are left in plaintext.
      • Test the CSP implementation to ensure it blocks inline scripts and only allows scripts with the correct nonce.

  2. Documentation

    • Update the documentation to reflect the changes made in this PR, especially regarding the new use of the SecretStorage API and the CSP implementation.

  3. Dependency Audit

    • The package-lock.json file has been added in this PR, which includes a large number of dependencies. Ensure that all dependencies are up-to-date and free of known vulnerabilities. Use tools like npm audit or snyk to verify.

  4. Code Review for Non-Visible Changes

    • The provided diff does not show the actual code changes for the fixes. Ensure that the implementation of the fixes (e.g., safeRegExp(), CSP nonces, and token migration) is reviewed for correctness and security.

  5. Backward Compatibility

    • If the removed policyCompletion.ts file is part of the public API, consider adding a deprecation warning before removing it completely. This will give users time to update their code.

Final Recommendation

  • Address the CRITICAL issues before merging this PR.
  • Verify the implementation of the fixes and add comprehensive tests.
  • Ensure backward compatibility for the removed policyCompletion.ts file.
  • Perform a dependency audit to ensure no new vulnerabilities are introduced.

Let me know if you need further assistance or clarification!

@imran-siddique imran-siddique merged commit 3736f74 into microsoft:main Mar 28, 2026
50 of 52 checks passed
@imran-siddique imran-siddique deleted the fix/vscode-security-issues branch March 28, 2026 16:18
@MythologIQ MythologIQ mentioned this pull request Mar 28, 2026
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@nandhagopalv19 nandhagopalv19 Awaiting requested review from nandhagopalv19

Assignees

No one assigned

Labels

size/XL Extra large PR (500+ lines)

Projects

None yet

Milestone

No milestone

1 participant

@imran-siddique