CVE-2021-30502

An attacker crafts a malicious Visual Studio Code workspace (e.g., a repository) containing a `.vscode/settings.json` that sets `ghcSimple.replCommand` to an arbitrary command (e.g., a reverse shell or malware). When the victim opens the workspace in VS Code with the vulnerable extension installed, the extension reads the workspace configuration and executes the attacker-controlled `replCommand` without any user prompt or validation. This allows remote code execution in the context of the victim's VS Code process [ref_id=1].

The vulnerability resides in the workspace configuration handling of the vscode-ghc-simple extension. The `replCommand` setting, which specifies the command to launch GHCi, is read from workspace configuration without any trust mechanism. The patch introduces a `ghcSimple.trustedReplCommandConfigs` application-scoped setting to track which `replCommand` configurations the user has explicitly trusted [ref_id=1].

The patch adds a new `ghcSimple.trustedReplCommandConfigs` setting scoped to `application` (not workspace), which records which `replCommand` configurations the user has explicitly trusted. Before executing `replCommand`, the extension now checks whether the configuration is in this trusted list. If not, the user is prompted to approve or reject the command. This prevents arbitrary command execution from untrusted workspace configurations because the attacker-controlled `replCommand` will not be in the user's trusted list unless the user explicitly approves it [ref_id=1].