CVE-2021-28793

An attacker can craft a malicious project folder containing a workspace configuration (e.g., `.vscode/settings.json`) that specifies arbitrary binary paths or commands. When a victim opens this project in VS Code with the vulnerable extension installed, the extension reads the workspace configuration without adequate access control and executes the attacker-controlled binaries. This is an incorrect access control vulnerability [ref_id=1] where the extension trusts workspace settings that should be restricted.

The vulnerability lies in the workspace configuration handling of the vscode-restructuredtext extension prior to version 146.0.0. The patch modifies `extension.ts` to call `initConfig(context)` early in the `activate()` function and introduces `setGlobalState` and `setWorkspaceState` from `stateUtils` and `initConfig` from `config`. The reordering of imports and initialization logic indicates that previously the extension did not properly isolate workspace configuration from the execution environment.

The patch reorders initialization in `activate()` to call `initConfig(context)` and set global/workspace state before any other operations. It also moves the import of `ExtensionContentSecurityPolicyArbiter` and `PreviewSecuritySelector` after the new state utilities. These changes ensure that workspace configuration is properly validated and isolated before the extension processes any workspace-provided settings, preventing malicious workspace configurations from triggering arbitrary binary execution.