#VSCode
SARIF Explorer is a VSCode extension that enables you to review static analysis results effectively and enjoyably.
In this two-part blog, I’ll cover how I found and disclosed three vulnerabilities in VSCode extensions and one vulnerability in VSCode itself (a security mitigation bypass assigned CVE-2022-41042 and awarded a $7,500 bounty).
In this post, I’ll demonstrate how I bypassed a Webview’s localResourceRoots by exploiting small URL parsing differences between the browser and other VSCode logic and an over-reliance on the browser to do path normalization. This bypass allows an attacker with JavaScript execution inside a Webview to read files anywhere in the system, including those outside the localResourceRoots. Microsoft assigned this bug CVE-2022-41042 and awarded us a bounty of $7,500 (about $2,500 per minute of bug finding).
I created a SARIF Explorer, a VSCode extension that allows you to triage static analysis results more effectively and with more enjoyment. You can install it through the VSCode marketplace and find its code in our vscode-sarif-explorer repo.