unc - adopt setting and handling of allow list (#5)

* unc - adopt setting and handling of allow list

* unc - set allow list on server too

* unc - pick our patched node.js for now

* bump electron

* unc - ignore sync is not needed with machine scope

* unc - use process set directly

* 🆙 22.5.1

Author: bpasero

build/gulpfile.reh.js

@@ -164,7 +164,7 @@ function nodejs(platform, arch) {
 
 	if (platform === 'win32') {
 		if (product.nodejsRepository) {
-			return assetFromGithub(product.nodejsRepository, nodeVersion, name => name === `win-${arch}-node.exe`)
+			return assetFromGithub(product.nodejsRepository, nodeVersion, name => name === `win-${arch}-patched-node.exe`)
 				.pipe(rename('node.exe'));
 		}
 

build/lib/electron.js

@@ -91,7 +91,7 @@ function darwinBundleDocumentTypes(types: { [name: string]: string | string[] },
 }
 
 export const config = {
-	version: product.electronRepository ? '22.4.8' : util.getElectronVersion(),
+	version: product.electronRepository ? '22.5.1' : util.getElectronVersion(),
 	productAppName: product.nameLong,
 	companyName: 'Microsoft Corporation',
 	copyright: 'Copyright (C) 2023 Microsoft. All rights reserved',
@@ -212,7 +212,7 @@ function getElectron(arch: string): () => NodeJS.ReadWriteStream {
 }
 
 async function main(arch = process.arch): Promise<void> {
-	const version = product.electronRepository ? '22.4.8' : util.getElectronVersion();
+	const version = product.electronRepository ? '22.5.1' : util.getElectronVersion();
 	const electronPath = path.join(root, '.build', 'electron');
 	const versionFile = path.join(electronPath, 'version');
 	const isUpToDate = fs.existsSync(versionFile) && fs.readFileSync(versionFile, 'utf8') === `${version}`;

build/lib/electron.ts

@@ -26,6 +26,11 @@ function stackToString(stack: string[] | string | undefined): string | undefined
 
 function detectSystemErrorMessage(exception: any): string {
 
+	// Custom node.js error from us
+	if (exception.code === 'ERR_UNC_HOST_NOT_ALLOWED') {
+		return `${exception.message}. Please update the 'security.allowedUNCHosts' setting if you want to allow this host.`;
+	}
+
 	// See https://nodejs.org/api/errors.html#errors_class_system_error
 	if (typeof exception.code === 'string' && typeof exception.errno === 'number' && typeof exception.syscall === 'string') {
 		return nls.localize('nodeExceptionMessage', "A system error occurred ({0})", exception.message);

src/vs/base/common/errorMessage.ts

@@ -0,0 +1,65 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { isWindows } from 'vs/base/common/platform';
+
+function processUNCHostAllowlist(): Set<string> | undefined {
+
+	// The property `process.uncHostAllowlist` is not available in official node.js
+	// releases, only in our own builds, so we have to probe for availability
+
+	const processWithUNCHostAllowlist = process as typeof process & { readonly uncHostAllowlist?: Set<string> };
+
+	return processWithUNCHostAllowlist.uncHostAllowlist;
+}
+
+export function setUNCHostAllowlist(allowedHosts: string[]): void {
+	if (!isWindows) {
+		return;
+	}
+
+	const allowlist = processUNCHostAllowlist();
+	if (allowlist) {
+		allowlist.clear();
+
+		for (const allowedHost of allowedHosts) {
+			allowlist.add(allowedHost);
+		}
+	}
+}
+
+export function getUNCHostAllowlist(): string[] {
+	const allowlist = processUNCHostAllowlist();
+	if (allowlist) {
+		return Array.from(allowlist);
+	}
+
+	return [];
+}
+
+export function addUNCHostToAllowlist(allowedHost: string): void {
+	if (!isWindows) {
+		return;
+	}
+
+	const allowlist = processUNCHostAllowlist();
+	if (allowlist) {
+		allowlist.add(allowedHost);
+	}
+}
+
+export function toUNCHostAllowlist(arg0: unknown): string[] {
+	const allowedUNCHosts = new Set<string>();
+
+	if (Array.isArray(arg0)) {
+		for (const host of arg0) {
+			if (typeof host === 'string') {
+				allowedUNCHosts.add(host);
+			}
+		}
+	}
+
+	return Array.from(allowedUNCHosts);
+}

src/vs/base/node/unc.ts

@@ -4,6 +4,7 @@
  *--------------------------------------------------------------------------------------------*/
 
 import { app, BrowserWindow, dialog, protocol, session, Session, systemPreferences, WebFrameMain } from 'electron';
+import { setUNCHostAllowlist, toUNCHostAllowlist } from 'vs/base/node/unc';
 import { validatedIpcMain } from 'vs/base/parts/ipc/electron-main/ipcMain';
 import { hostname, release } from 'os';
 import { VSBuffer } from 'vs/base/common/buffer';
@@ -311,6 +312,14 @@ export class CodeApplication extends Disposable {
 		}
 
 		//#endregion
+
+		//#region UNC Host Allowlist (Windows)
+
+		if (isWindows) {
+			setUNCHostAllowlist(toUNCHostAllowlist(this.configurationService.getValue<unknown>('security.allowedUNCHosts')));
+		}
+
+		//#endregion
 	}
 
 	private registerListeners(): void {

src/vs/code/electron-main/app.ts

@@ -21,10 +21,12 @@ import { getStdinFilePath, hasStdinWithoutTty, readFromStdin, stdinDataListener
 import { createWaitMarkerFileSync } from 'vs/platform/environment/node/wait';
 import product from 'vs/platform/product/common/product';
 import { CancellationTokenSource } from 'vs/base/common/cancellation';
-import { randomPath } from 'vs/base/common/extpath';
+import { isUNC, randomPath } from 'vs/base/common/extpath';
 import { Utils } from 'vs/platform/profiling/common/profiling';
 import { FileAccess } from 'vs/base/common/network';
 import { cwd } from 'vs/base/common/process';
+import { addUNCHostToAllowlist } from 'vs/base/node/unc';
+import { URI } from 'vs/base/common/uri';
 
 function shouldSpawnCliProcess(argv: NativeParsedArgs): boolean {
 	return !!argv['install-source']
@@ -116,6 +118,16 @@ export async function main(argv: string[]): Promise<any> {
 		const source = args._[0];
 		const target = args._[1];
 
+		// Windows: set the paths as allowed UNC paths given
+		// they are explicitly provided by the user as arguments
+		if (isWindows) {
+			for (const path of [source, target]) {
+				if (isUNC(path)) {
+					addUNCHostToAllowlist(URI.file(path).authority);
+				}
+			}
+		}
+
 		// Validate
 		if (
 			!source || !target || source === target ||				// make sure source and target are provided and are not the same

src/vs/code/node/cli.ts

@@ -707,6 +707,7 @@ export class DiskFileSystemProvider extends AbstractDiskFileSystemProvider imple
 			return error; // avoid double conversion
 		}
 
+		let resultError: Error | string = error;
 		let code: FileSystemProviderErrorCode;
 		switch (error.code) {
 			case 'ENOENT':
@@ -725,11 +726,15 @@ export class DiskFileSystemProvider extends AbstractDiskFileSystemProvider imple
 			case 'EACCES':
 				code = FileSystemProviderErrorCode.NoPermissions;
 				break;
+			case 'ERR_UNC_HOST_NOT_ALLOWED':
+				resultError = `${error.message}. Please update the 'security.allowedUNCHosts' setting if you want to allow this host.`;
+				code = FileSystemProviderErrorCode.Unknown;
+				break;
 			default:
 				code = FileSystemProviderErrorCode.Unknown;
 		}
 
-		return createFileSystemProviderError(error, code);
+		return createFileSystemProviderError(resultError, code);
 	}
 
 	private async toFileSystemProviderWriteError(resource: URI | undefined, error: NodeJS.ErrnoException): Promise<FileSystemProviderError> {

src/vs/platform/files/node/diskFileSystemProvider.ts

@@ -16,6 +16,8 @@ import { ITelemetryService } from 'vs/platform/telemetry/common/telemetry';
 import { ILifecycleMainService } from 'vs/platform/lifecycle/electron-main/lifecycleMainService';
 import { removeDangerousEnvVariables } from 'vs/base/common/processes';
 import { deepClone } from 'vs/base/common/objects';
+import { isWindows } from 'vs/base/common/platform';
+import { getUNCHostAllowlist } from 'vs/base/node/unc';
 
 export interface IUtilityProcessConfiguration {
 
@@ -259,6 +261,9 @@ export class UtilityProcess extends Disposable {
 			env['VSCODE_CRASH_REPORTER_SANDBOXED_HINT'] = '1'; // TODO@bpasero remove me once sandbox is final
 		}
 		env['VSCODE_CRASH_REPORTER_PROCESS_TYPE'] = configuration.type;
+		if (isWindows) {
+			env['NODE_UNC_HOST_ALLOWLIST'] = getUNCHostAllowlist().join('\\');
+		}
 
 		// Remove any environment variables that are not allowed
 		removeDangerousEnvVariables(env);

src/vs/platform/utilityProcess/electron-main/utilityProcess.ts

@@ -3,8 +3,9 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { app, BrowserWindow, WebContents } from 'electron';
+import { app, BrowserWindow, WebContents, shell } from 'electron';
 import { Promises } from 'vs/base/node/pfs';
+import { addUNCHostToAllowlist } from 'vs/base/node/unc';
 import { hostname, release } from 'os';
 import { coalesce, distinct, firstOrDefault } from 'vs/base/common/arrays';
 import { CancellationToken } from 'vs/base/common/cancellation';
@@ -1013,7 +1014,7 @@ export class WindowsMainService extends Disposable implements IWindowsMainServic
 		return openable.fileUri;
 	}
 
-	private async doResolveFilePath(path: string, options: IPathResolveOptions): Promise<IPathToOpen<ITextEditorOptions> | undefined> {
+	private async doResolveFilePath(path: string, options: IPathResolveOptions, skipHandleUNCError?: boolean): Promise<IPathToOpen<ITextEditorOptions> | undefined> {
 
 		// Extract line/col information from path
 		let lineNumber: number | undefined;
@@ -1083,6 +1084,11 @@ export class WindowsMainService extends Disposable implements IWindowsMainServic
 				};
 			}
 		} catch (error) {
+
+			if (error.code === 'ERR_UNC_HOST_NOT_ALLOWED' && !skipHandleUNCError) {
+				return this.onUNCHostNotAllowed(path, options);
+			}
+
 			const fileUri = URI.file(path);
 
 			// since file does not seem to exist anymore, remove from recent
@@ -1101,6 +1107,33 @@ export class WindowsMainService extends Disposable implements IWindowsMainServic
 		return undefined;
 	}
 
+	private async onUNCHostNotAllowed(path: string, options: IPathResolveOptions): Promise<IPathToOpen<ITextEditorOptions> | undefined> {
+		const uri = URI.file(path);
+
+		const { response } = await this.dialogMainService.showMessageBox({
+			type: 'warning',
+			buttons: [
+				localize({ key: 'yes', comment: ['&& denotes a mnemonic'] }, "&&Yes"),
+				localize({ key: 'no', comment: ['&& denotes a mnemonic'] }, "&&No"),
+				localize({ key: 'learnMore', comment: ['&& denotes a mnemonic'] }, "&&Learn More"),
+			],
+			message: localize('confirmOpenMessage', "The host '{0}' was not found in the list of allowed hosts. Do you want to open it anyway?", uri.authority),
+			detail: localize('confirmOpenDetail', "The path '{0}' uses a host that is not allowed. Unless you trust the host, you should press 'No'", getPathLabel(uri, { os: OS, tildify: this.environmentMainService }))
+		});
+
+		if (response === 0) {
+			addUNCHostToAllowlist(uri.authority);
+
+			return this.doResolveFilePath(path, options, true /* do not handle UNC error again */);
+		}
+
+		if (response === 2) {
+			shell.openExternal('https://aka.ms/vscode-windows-unc');
+		}
+
+		return undefined;
+	}
+
 	private doResolveRemotePath(path: string, options: IPathResolveOptions): IPathToOpen<ITextEditorOptions> | undefined {
 		const first = path.charCodeAt(0);
 		const remoteAuthority = options.remoteAuthority;

src/vs/platform/windows/electron-main/windowsMainService.ts

@@ -49,6 +49,7 @@ import { ExtensionsProfileScannerService } from 'vs/platform/extensionManagement
 import { LogService } from 'vs/platform/log/common/logService';
 import { LoggerService } from 'vs/platform/log/node/loggerService';
 import { localize } from 'vs/nls';
+import { setUNCHostAllowlist, toUNCHostAllowlist } from 'vs/base/node/unc';
 
 class CliMain extends Disposable {
 
@@ -66,7 +67,14 @@ class CliMain extends Disposable {
 	async run(): Promise<void> {
 		const instantiationService = await this.initServices();
 		await instantiationService.invokeFunction(async accessor => {
+			const configurationService = accessor.get(IConfigurationService);
 			const logService = accessor.get(ILogService);
+
+			// On Windows, configure the UNC allow list based on settings
+			if (process.platform === 'win32') {
+				setUNCHostAllowlist(toUNCHostAllowlist(configurationService.getValue<unknown>('security.allowedUNCHosts')));
+			}
+
 			try {
 				await this.doRun(instantiationService.createInstance(ExtensionManagementCLI, new ConsoleLogger(logService.getLevel(), false)));
 			} catch (error) {

src/vs/server/node/remoteExtensionHostAgentCli.ts

@@ -23,8 +23,10 @@ import { createRegExp, escapeRegExpCharacters } from 'vs/base/common/strings';
 import { URI } from 'vs/base/common/uri';
 import { generateUuid } from 'vs/base/common/uuid';
 import { findFreePort } from 'vs/base/node/ports';
+import { setUNCHostAllowlist, toUNCHostAllowlist } from 'vs/base/node/unc';
 import { PersistentProtocol } from 'vs/base/parts/ipc/common/ipc.net';
 import { NodeSocket, WebSocketNodeSocket } from 'vs/base/parts/ipc/node/ipc.net';
+import { IConfigurationService } from 'vs/platform/configuration/common/configuration';
 import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation';
 import { ILogService } from 'vs/platform/log/common/log';
 import { IProductService } from 'vs/platform/product/common/productService';
@@ -712,6 +714,15 @@ export async function createServer(address: string | net.AddressInfo | null, arg
 		initUnexpectedErrorHandler((error: any) => logService.error(error));
 	});
 
+	// On Windows, configure the UNC allow list based on settings
+	instantiationService.invokeFunction((accessor) => {
+		const configurationService = accessor.get(IConfigurationService);
+
+		if (process.platform === 'win32') {
+			setUNCHostAllowlist(toUNCHostAllowlist(configurationService.getValue<unknown>('security.allowedUNCHosts')));
+		}
+	});
+
 	//
 	// On Windows, exit early with warning message to users about potential security issue
 	// if there is node_modules folder under home drive or Users folder.

src/vs/server/node/remoteExtensionHostAgentServer.ts

@@ -7,7 +7,7 @@ import { Registry } from 'vs/platform/registry/common/platform';
 import { localize } from 'vs/nls';
 import { IConfigurationRegistry, Extensions as ConfigurationExtensions, ConfigurationScope } from 'vs/platform/configuration/common/configurationRegistry';
 import { isMacintosh, isWindows, isLinux, isWeb, isNative } from 'vs/base/common/platform';
-import { ConfigurationMigrationWorkbenchContribution, workbenchConfigurationNodeBase } from 'vs/workbench/common/configuration';
+import { ConfigurationMigrationWorkbenchContribution, securityConfigurationNodeBase, workbenchConfigurationNodeBase } from 'vs/workbench/common/configuration';
 import { isStandalone } from 'vs/base/browser/browser';
 import { IWorkbenchContributionsRegistry, Extensions as WorkbenchExtensions } from 'vs/workbench/common/contributions';
 import { LifecyclePhase } from 'vs/workbench/services/lifecycle/common/lifecycle';
@@ -680,4 +680,21 @@ const registry = Registry.as<IConfigurationRegistry>(ConfigurationExtensions.Con
 			}
 		}
 	});
+
+	// Security
+	registry.registerConfiguration({
+		...securityConfigurationNodeBase,
+		'properties': {
+			'security.allowedUNCHosts': {
+				'type': 'array',
+				'items': {
+					'type': 'string'
+				},
+				'default': [],
+				'markdownDescription': localize('security.allowedUNCHosts', 'A set of UNC host names to allow without user confirmation. If a UNC host is being accessed that is not allowed via this setting or has not been acknowledged via user confirmation, an error will occur and the operation stopped. A restart is required when changing this setting. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
+				'included': isWindows,
+				'scope': ConfigurationScope.MACHINE
+			}
+		}
+	});
 })();