Headline
CVE-2021-22539: Malicious project can cause vscode-bazel to run arbitrary executable when linting a *.bzl file
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.
Impact
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable, leading to arbitrary code execution.
vscode-bazel <= 0.4.0 allow workspace settings to change the path of an executable file used to lint *.bzl files (setting “bazel.buildifierExecutable”). Since the workspace setting can be modified just by dropping a (malicious) JSON config file into a folder, it’s possible to execute arbitrary executables from malicious folders this way.
Patches
The problem has been patched in vscode-bazel 0.4.1. We recommend upgrading to version 0.4.1 or above.
For more information
Thanks to @Ry0taK for finding, reporting this vulnerability responsibly and helping us patch it!
If you have any questions or comments about this advisory:
- Open an issue in vscode-bazel.
- Email the Bazel security team at [email protected].