Skip to content

security: release v1.14.6 with SEC-200 scope hardening#966

Open
EhabY wants to merge 1 commit into
release/v1.14.6from
security/scope-hardening-sec-200-1.14.6
Open

security: release v1.14.6 with SEC-200 scope hardening#966
EhabY wants to merge 1 commit into
release/v1.14.6from
security/scope-hardening-sec-200-1.14.6

Conversation

@EhabY
Copy link
Copy Markdown
Collaborator

@EhabY EhabY commented May 19, 2026
edited
Loading

Summary

Cuts v1.14.6 off the v1.14.5 tag with the SEC-200 fix for users on the stable channel. The same change is delivered on main in a separate PR.

Closes the SEC-200 attack path where a malicious .vscode/settings.json could override security-sensitive Coder settings — most notably the two command-execution settings (coder.headerCommand, coder.tlsCertRefreshCommand) called out in the original report.

The fix is metadata-only: each affected setting gets a scope of application or machine. VS Code drops workspace and folder values for both scopes, so a malicious workspace value never reaches our code. No runtime guard needed.

This PR also relaxes the release workflow so this release branch can publish without first being merged into main.

Why not window (the default)

VS Code's default scope is window, which lets workspace and folder settings.json override the user setting — exactly the SEC-200 vector. Any setting that can cause command execution, redirect network traffic, swap credentials, or substitute the CLI binary must not be controllable by a project file.

application vs machine

Both block workspace/folder overrides, so both close SEC-200. They differ in Settings Sync behavior:

Scope Settable in Synced via Settings Sync?
application User settings only Yes
machine User OR per-machine remote settings No

We split by what the setting actually represents:

  • application — user-wide preferences with no OS or filesystem coupling. Safe (and desirable) to sync across machines.
  • machine — paths, shell commands, and network config that are inherently per-machine. A Windows cmd.exe /c … headerCommand syncing to a Mac would silently break; absolute paths like tlsCaFile don't translate.

This follows VS Code's recommended scope semantics.

Settings updated

application (synced, user-wide preferences):

Setting Why it's sensitive
coder.insecure Disables TLS host verification
coder.disableSignatureVerification Toggles CLI signature verification
coder.enableDownloads Force-enables downloads in restricted environments
coder.defaultUrl Default Coder deployment URL
coder.autologin Combined with defaultUrl could auto-login elsewhere
coder.useKeyring Credential-storage preference

machine (per-machine, not synced):

Setting Why it's sensitive
coder.headerCommand Runs an external shell command (SEC-200)
coder.tlsCertRefreshCommand Runs an external shell command (SEC-200)
coder.binarySource URL the Coder CLI is downloaded from
coder.binaryDestination Filesystem path of the executed CLI binary
coder.sshFlags SSH flags accept -o ProxyCommand=… (exec)
coder.globalFlags Flags applied to every CLI invocation
coder.tlsCertFile TLS client certificate path
coder.tlsKeyFile TLS client key path
coder.tlsCaFile TLS CA path (workspace-controlled CA → MITM)
coder.tlsAltHost Hostname override for TLS verification
coder.proxyLogDirectory Arbitrary write path
coder.proxyBypass Routes traffic around the proxy

Already machine: coder.sshConfig.

CI change

Drops the Verify tag is on main step from .github/workflows/release.yaml so this release/v1.14.6 branch can publish a tagged release without first being merged into main. The same change lands on main in the companion PR.

Companion PR

The same scope-hardening change is being delivered against main separately.

Release plan

After merge:

  1. Tag v1.14.6 on the merged commit at the tip of release/v1.14.6.
  2. The release workflow packages the extension and publishes to the Marketplace + OpenVSX.

@EhabY EhabY requested a review from jdomeracki-coder May 19, 2026 15:45
@EhabY EhabY self-assigned this May 19, 2026
@EhabY
security: tighten configuration scope for SEC-200 (v1.14.6)
4ce2c56 
Mark security-sensitive settings so workspace and folder `settings.json`
can no longer override them. VS Code itself drops workspace/folder values
for these settings, closing a path where a malicious workspace could
redirect command execution (`coder.headerCommand`,
`coder.tlsCertRefreshCommand`), swap the CLI binary or its source, inject
CLI/SSH flags, substitute TLS material, or override identity and
credential-storage settings.

Path-, command-, and network-dependent settings use `scope: machine`
(per-machine, not synced via Settings Sync). User-wide preferences
(`coder.defaultUrl`, `coder.autologin`, `coder.useKeyring`,
`coder.insecure`, `coder.disableSignatureVerification`,
`coder.enableDownloads`) use `scope: application`, which preserves
Settings Sync across machines while still blocking workspace overrides.

Bumps to v1.14.6 and adds the corresponding CHANGELOG entry. Also drops
the release-workflow gate that required tags to come from `main` so this
fix can be cut from a release branch.
@EhabY EhabY force-pushed the security/scope-hardening-sec-200-1.14.6 branch from 24ba065 to 4ce2c56 Compare May 21, 2026 11:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@EhabY EhabY

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EhabY