Skip to content

Cherry pick/msrc 1.123 to release 1.123#320632

Merged
dileepyavan merged 7 commits into
release/1.123from
cherry-pick/msrc-1.123-to-release-1.123
Jun 9, 2026
Merged

Cherry pick/msrc 1.123 to release 1.123#320632
dileepyavan merged 7 commits into
release/1.123from
cherry-pick/msrc-1.123-to-release-1.123

Conversation

@dileepyavan

Copy link
Copy Markdown
Member

Cherrypicking changes from msrc release to release/.123

Zhichao Li and others added 7 commits June 9, 2026 09:47
* [msrc/1.123] 114763

* Add maxAttributeSizeChars configuration to OpenTelemetry settings

---------

Co-authored-by: Zhichao Li <zhichli@microsoft.com>
(cherry picked from commit 042dc59)
…#46)

A direct `<host>:<port>` remote authority (no resolver `+` prefix) bypasses
resolver extensions and connects straight to the given server. Since this form
can originate from untrusted sources (e.g. the `remoteAuthority` of a
`.code-workspace` file), a crafted workspace could silently point the window's
extension host backend at an attacker-controlled server.

Centralize a confirmation prompt at the connection point in the renderer:
when resolving a direct authority whose host is not loopback (localhost,
127.0.0.1, ::1), ask the user to confirm before connecting and abort if
declined. Add `isLoopbackHost` helper and tests.

(cherry picked from commit 9505d0f)
(cherry picked from commit 4b6e246)
* fix path traversal

* fix compilation

(cherry picked from commit 9b31ff8)
(cherry picked from commit db24d8b)
Copilot AI review requested due to automatic review settings June 9, 2026 17:21
@dileepyavan dileepyavan enabled auto-merge (squash) June 9, 2026 17:21
@vs-code-engineering

Copy link
Copy Markdown
Contributor

📬 CODENOTIFY

The following users are being notified based on files changed in this PR:

@lszomoru

Matched files:

  • extensions/github/src/credentialProvider.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Cherry-picks MSRC/security and related UX changes into the release/1.123 line, including hardening around untrusted inputs (profile snippets import, direct remote authorities), plus UI surfacing for Copilot OpenTelemetry status and associated configuration restrictions.

Changes:

  • Prevent writing imported profile snippets outside the profile’s snippets folder and add regression tests (path traversal protection).
  • Add a confirmation prompt before connecting to direct <host>:<port> remote authorities that are not loopback.
  • Introduce a new ChatInputStatus menu and UI surfaces (workbench chat input + sessions new-chat view) for status indicators (e.g. OTel), plus related styling and Copilot OTel UX/telemetry improvements.
Show a summary per file
File Description
src/vs/workbench/services/userDataProfile/test/browser/snippetsResource.test.ts Adds tests covering safe snippet application and traversal attempts.
src/vs/workbench/services/userDataProfile/browser/userDataProfileInit.ts Wires logging into snippets resource initialization.
src/vs/workbench/services/userDataProfile/browser/snippetsResource.ts Adds containment check for snippet keys; logs when ignoring escaping entries.
src/vs/workbench/services/extensions/electron-browser/nativeExtensionService.ts Prompts user before connecting to non-loopback direct remote authorities.
src/vs/workbench/services/extensions/common/abstractExtensionService.ts Makes _dialogService protected for subclass use.
src/vs/workbench/services/actions/common/menusExtensionPoint.ts Exposes new chat/input/status API menu key.
src/vs/workbench/contrib/chat/browser/widget/media/chat.css Styles the new chat input status area and its hover content.
src/vs/workbench/contrib/chat/browser/widget/input/media/chatInputNotificationWidget.css Updates notification widget spacing/typography to match chat font variables.
src/vs/workbench/contrib/chat/browser/widget/input/chatInputStatusActionViewItem.ts New view item rendering a richer hover for chat input status contributions.
src/vs/workbench/contrib/chat/browser/widget/input/chatInputPart.ts Adds a non-overflowing status toolbar to the secondary chat input toolbar.
src/vs/workbench/contrib/chat/browser/chatStatus/chatStatusDashboard.ts Hides OTel status entry from dashboard when surfaced elsewhere.
src/vs/sessions/contrib/chat/browser/newChatInput.ts Adds the chat input status toolbar to the sessions new-chat view.
src/vs/sessions/contrib/chat/browser/media/chatWidget.css Tweaks sessions new-chat status toolbar padding/min-width for icon-only items.
src/vs/platform/remote/test/common/remoteHosts.test.ts Adds coverage for loopback host detection.
src/vs/platform/remote/common/remoteHosts.ts Introduces isLoopbackHost helper for local-only detection.
src/vs/platform/agentHost/common/agentHostStarter.config.contribution.ts Marks agent-host OTel settings as restricted.
src/vs/platform/actions/common/actions.ts Adds MenuId.ChatInputStatus.
src/vs/base/test/common/resources.test.ts Adds test ensuring isEqualOrParent handles .. segments correctly.
src/vs/base/common/resources.ts Uses forced POSIX semantics for URI-path containment checks.
src/vs/base/common/extpath.ts Normalizes .. segments in isEqualOrParent and adjusts signature.
package.json Bumps product version to 1.123.1.
package-lock.json Updates lockfile version fields to 1.123.1.
extensions/github/src/credentialProvider.ts Tightens hostname check to only github.com (no substring matches).
extensions/copilot/src/util/vs/base/common/resources.ts Mirrors forced POSIX semantics change in Copilot’s vendored util.
extensions/copilot/src/util/vs/base/common/extpath.ts Mirrors isEqualOrParent normalization/signature change in Copilot’s vendored util.
extensions/copilot/src/platform/otel/common/test/agentOTelEnv.spec.ts Adds tests for db-only mode not forwarding env to subprocess.
extensions/copilot/src/platform/otel/common/agentOTelEnv.ts Gates env var forwarding on enabledExplicitly to avoid leaks.
extensions/copilot/src/extension/otel/vscode-node/otelContrib.ts Adds UI indicators/commands/consent flows for OTel capture + terminal env mirroring.
extensions/copilot/src/extension/chatSessions/vscode-node/copilotCLITerminalIntegration.ts Always calls env derivation (now self-gated by enabledExplicitly).
extensions/copilot/src/extension/chatSessions/copilotcli/node/copilotcliSessionService.ts Snapshots/restores OTel-related env vars; reduces unintended subprocess inheritance.
extensions/copilot/package.nls.json Adds localized workspace trust capability description.
extensions/copilot/package.json Bumps extension version/engine, adds untrusted workspace restrictions, adds status commands/menu contributions.
extensions/copilot/package-lock.json Updates Copilot lockfile version/engine to match 0.51.1 / ^1.123.1.

Copilot's findings

Files not reviewed (1)
  • extensions/copilot/package-lock.json: Language not supported
  • Files reviewed: 31/33 changed files
  • Comments generated: 1
Comment on lines +47 to +48
import { MenuId, MenuItemAction } from '../../../../platform/actions/common/actions.js';
import { ChatInputStatusActionViewItem } from '../../../../workbench/contrib/chat/browser/widget/input/chatInputStatusActionViewItem.js';
@dileepyavan dileepyavan merged commit 8b5bd2a into release/1.123 Jun 9, 2026
26 checks passed
@dileepyavan dileepyavan deleted the cherry-pick/msrc-1.123-to-release-1.123 branch June 9, 2026 18:01
@vs-code-engineering vs-code-engineering Bot added this to the 1.123.2 milestone Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

6 participants