Code execution in VSCode-bazel via malicious Bazel config files

Vulnerability

The vscode-bazel extension allows the workspace path to the executable used for linting *.bzl files to be set via the bazel.buildifierExecutable configuration key. This setting can be modified by placing a crafted JSON config file in the project folder. Versions 0.4.0 and earlier accept the configuration from the workspace without restrictions, enabling an attacker to specify any arbitrary executable on the system [1].

Exploitation

An attacker creates a malicious project folder containing a .vscode/settings.json file that sets bazel.buildifierExecutable to an attacker-controlled executable. When the victim opens the folder in Visual Studio Code and the extension lints a *.bzl file, the extension invokes the specified executable. No additional authentication, network access, or user interaction beyond opening the folder and triggering linting is required [1].

Impact

Successful exploitation results in arbitrary code execution on the victim's machine with the privileges of the user running Visual Studio Code. The attacker gains full control over the execution environment, potentially leading to data exfiltration, malware installation, or further system compromise [1].

Mitigation

The issue is patched in vscode-bazel version 0.4.1, released on or before 2021-04-16. Users should upgrade to version 0.4.1 or above. No workaround is documented; the fix disallows workspace-level configuration of the linting executable path [1].