Skip to content

Backmerge release/july-2026 into main [skip chg]#11283

Merged
timotheeguerin merged 5 commits into
mainfrom
copilot/releasejuly-2026-backmerge
Jul 17, 2026
Merged

Backmerge release/july-2026 into main [skip chg]#11283
timotheeguerin merged 5 commits into
mainfrom
copilot/releasejuly-2026-backmerge

Conversation

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Backmerges release/july-2026 into main to bring hotfix commits back to the development branch.

Changes from release/july-2026

timotheeguerin and others added 4 commits July 16, 2026 14:57
## Summary

Hotfix for a reported **unauthenticated remote stop** vulnerability in
`@typespec/spector`.

The mock server registered `POST /.admin/stop` with no authentication
and bound to all interfaces (`0.0.0.0`) by default, so any
network-reachable client could terminate the server process with a
single request.

## Fix

The mock server is only ever used locally, so it now **always binds to
the loopback interface (`127.0.0.1`)**. This makes the admin/stop
endpoint unreachable from other hosts, which fully closes the reported
vector without needing any per-request origin/host check.

## Notes

- Verified with Node's `fetch` that clients still connect over
`localhost` even on IPv6-first (`localhost` -> `::1`) resolution, so
existing localhost-based test workflows keep working.
- `tsp-spector server stop` (which posts to
`http://localhost:<port>/.admin/stop`) continues to work unchanged.
- Added a changelog entry (`fix`).
…1275)

## Summary

Fixes a shell command injection vulnerability in the TypeSpec VS Code
task provider.

### Data flow (source → sink)
- `extension.ts` registers `createTaskProvider()` on activation
(default-on).
- `task-provider.ts` — `vscode.workspace.findFiles('**/main.tsp', ...)`
collects workspace paths, including **attacker-controllable directory
names**; `task.definition.path`/`args` also come from user-authored
`tasks.json`.
- The resolved path/args were interpolated (wrapped only in double
quotes) into a command string and passed to `new
vscode.ShellExecution(cmd, ...)`, which executes it via the OS shell →
command injection.

### Fix
Replace `vscode.ShellExecution` with `vscode.ProcessExecution`, passing
arguments as an array so no shell is involved and no escaping is
required.

- New `src/task-command.ts` with pure, testable helpers:
- `splitArgs` — **quote-aware** tokenizer (respects single/double
quotes) so legitimate `tasks.json` args with spaces keep working;
performs no shell expansion.
- `resolveTaskCommand` — builds `{ command, args[] }` as `[...cli.args,
"compile", absoluteTargetPath, ...splitArgs(args)]`, resolving `${...}`
variables per element.
- `createTaskInternal` now uses these helpers +
`vscode.ProcessExecution` (both `cwd` and no-`cwd` branches).

Logic was extracted into a separate module because the unit-test
environment has no real `vscode` module.

### Behavior note
Shell features (`$VAR`, `&&`, globbing) in `tasks.json` args are no
longer shell-interpreted — the intended hardening. Quoting to group
tokens with spaces still works.

### Tests
- New `test/unit/task-command.test.ts` (9 tests): empty/`--watch` args,
quoted args with spaces, `${workspaceFolder}` resolution, and an
injection path (`$(rm -rf ~)`...) verified to remain a single literal
argument.
- Full unit suite passes (11 tests); Prettier + oxlint clean.
…releasejuly-2026-backmerge

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@typespec/spector@11283

commit: 78c2ee1

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.
Some pipeline(s) encountered errors during trigger evaluation.

@timotheeguerin
timotheeguerin marked this pull request as ready for review July 16, 2026 22:45
@timotheeguerin timotheeguerin changed the title Backmerge release/july-2026 into main Backmerge release/july-2026 into main [skip chg] Jul 16, 2026
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.
Some pipeline(s) encountered errors during trigger evaluation.

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.
There may be pipelines that require an authorized user to comment /azp run to run.
Some pipeline(s) encountered errors during trigger evaluation.

@microsoft-github-policy-service microsoft-github-policy-service Bot added ide Issues for VS, VSCode, Monaco, etc. spector Issues related to spector and the spec sets labels Jul 17, 2026
@timotheeguerin
timotheeguerin added this pull request to the merge queue Jul 17, 2026
Merged via the queue into main with commit 39f8f02 Jul 17, 2026
28 checks passed
@timotheeguerin
timotheeguerin deleted the copilot/releasejuly-2026-backmerge branch July 17, 2026 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ide Issues for VS, VSCode, Monaco, etc. spector Issues related to spector and the spec sets

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants