You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Exposing the .devcontainer directory of a workspace to the container by default doesn't seem safe. A malicious program could discretely edit .devcontainer/devcontainer.json and wait for a rebuild of the container (most likely by restarting the session).
Such malicious programs could e.g. change the config to mount the user's home directory, then extract any tokens/secrets it can find, once the container has been rebuilt. As of writing the likelihood of any such scenario is low, but even if the crime rate in your neighborhood were to be low, you still wouldn't leave your front door unlocked, would you?
One workaround is changing the default source code mount, but in my opinion a container really shouldn't be able to modify (or even see) its own config by default.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
devcontainers
Uh oh!
There was an error while loading. Please reload this page.
-
Exposing the
.devcontainerdirectory of a workspace to the container by default doesn't seem safe. A malicious program could discretely edit.devcontainer/devcontainer.jsonand wait for a rebuild of the container (most likely by restarting the session).Such malicious programs could e.g. change the config to mount the user's home directory, then extract any tokens/secrets it can find, once the container has been rebuilt. As of writing the likelihood of any such scenario is low, but even if the crime rate in your neighborhood were to be low, you still wouldn't leave your front door unlocked, would you?
One workaround is changing the default source code mount, but in my opinion a container really shouldn't be able to modify (or even see) its own config by default.
Beta Was this translation helpful? Give feedback.
All reactions