Backmerge release/july-2026 into main [skip chg]#11283
Merged
Merged
Conversation
## Summary Hotfix for a reported **unauthenticated remote stop** vulnerability in `@typespec/spector`. The mock server registered `POST /.admin/stop` with no authentication and bound to all interfaces (`0.0.0.0`) by default, so any network-reachable client could terminate the server process with a single request. ## Fix The mock server is only ever used locally, so it now **always binds to the loopback interface (`127.0.0.1`)**. This makes the admin/stop endpoint unreachable from other hosts, which fully closes the reported vector without needing any per-request origin/host check. ## Notes - Verified with Node's `fetch` that clients still connect over `localhost` even on IPv6-first (`localhost` -> `::1`) resolution, so existing localhost-based test workflows keep working. - `tsp-spector server stop` (which posts to `http://localhost:<port>/.admin/stop`) continues to work unchanged. - Added a changelog entry (`fix`).
…1275) ## Summary Fixes a shell command injection vulnerability in the TypeSpec VS Code task provider. ### Data flow (source → sink) - `extension.ts` registers `createTaskProvider()` on activation (default-on). - `task-provider.ts` — `vscode.workspace.findFiles('**/main.tsp', ...)` collects workspace paths, including **attacker-controllable directory names**; `task.definition.path`/`args` also come from user-authored `tasks.json`. - The resolved path/args were interpolated (wrapped only in double quotes) into a command string and passed to `new vscode.ShellExecution(cmd, ...)`, which executes it via the OS shell → command injection. ### Fix Replace `vscode.ShellExecution` with `vscode.ProcessExecution`, passing arguments as an array so no shell is involved and no escaping is required. - New `src/task-command.ts` with pure, testable helpers: - `splitArgs` — **quote-aware** tokenizer (respects single/double quotes) so legitimate `tasks.json` args with spaces keep working; performs no shell expansion. - `resolveTaskCommand` — builds `{ command, args[] }` as `[...cli.args, "compile", absoluteTargetPath, ...splitArgs(args)]`, resolving `${...}` variables per element. - `createTaskInternal` now uses these helpers + `vscode.ProcessExecution` (both `cwd` and no-`cwd` branches). Logic was extracted into a separate module because the unit-test environment has no real `vscode` module. ### Behavior note Shell features (`$VAR`, `&&`, globbing) in `tasks.json` args are no longer shell-interpreted — the intended hardening. Quoting to group tokens with spaces still works. ### Tests - New `test/unit/task-command.test.ts` (9 tests): empty/`--watch` args, quoted args with spaces, `${workspaceFolder}` resolution, and an injection path (`$(rm -rf ~)`...) verified to remain a single literal argument. - Full unit suite passes (11 tests); Prettier + oxlint clean.
…releasejuly-2026-backmerge Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
timotheeguerin
July 16, 2026 22:32
View session
commit: |
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. Some pipeline(s) encountered errors during trigger evaluation. |
timotheeguerin
marked this pull request as ready for review
July 16, 2026 22:45
timotheeguerin
requested review from
RodgeFu,
bterlson,
catalinaperalta,
iscai-msft,
lirenhe,
markcowl and
witemple-msft
as code owners
July 16, 2026 22:45
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. Some pipeline(s) encountered errors during trigger evaluation. |
|
Azure Pipelines: 1 pipeline(s) were filtered out due to trigger conditions. There may be pipelines that require an authorized user to comment /azp run to run. Some pipeline(s) encountered errors during trigger evaluation. |
catalinaperalta
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backmerges
release/july-2026intomainto bring hotfix commits back to the development branch.Changes from release/july-2026