Ability to disallow network requests from plugins #12354
Comments
jansol
added
admin read
Moshyfawn
added
network
|
Can extensions even use the internet right now? Themes are an isolated JSON of colours, and the WASM binaries only have an output through the LSP handler, WASM shouldn't have access to the network at all, only WASIX and similar supersets get networking support. Is this more for when plugins widen to a more vscode style full featured system? |
|
There is an API (the LSP handler) for them to download a binary release from github, unpack it and execute the binary. (So they can provide language servers that are installed and kept up to date automatically) |
|
Isn't the WASM runtime isolated from the machine? it shouldn't have network or fs access just the buffer being passed in. |
|
There is a "zed extension interface" exposed to the blobs (running within the WASM runtime) that lets them instruct the host Zed (outside of the WASM runtime) to download binaries from github and point to those those binaries when Zed is asking the extension for the path to a given language server binary in order to execute it. |
Check for existing issues
Describe the feature
There was a question on discord whether binaries downloaded by language plugins could be malicious. Organization IT admins are also frequently not very happy about random binaries getting downloaded from the internet so it would probably be good to have the option to disable it without preventing users from installing themes and language support or disabling network functionality entirely.
(yes this is far from trivial to enforce properly, but better to get the ball rolling on extension permissions sooner rather than later)
If applicable, add mockups / screenshots to help present your vision of the feature
No response
The text was updated successfully, but these errors were encountered: