-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
serverExecutablePath
can only be set globally since 1.3.0
#393
Comments
Ah, my apologies, I see this is a duplicate of #387 |
No worries, good to know how it is impacting users, if you have the opportunity it would be great to know (commenting in the previous issue if possible) what is your workflow, to help in the design of the alternative to the actual situation.
The machine scope would let an attacker execute an arbitrary program simply opening a folder with vscode so i think it doesnt have the same severity imho. The existence of other security holes cant be a excuse to let open another one. If you dont mind i would prefer to close this one and centralize the info in the mentioned issue. |
For some projects, I have an overridden
haskell-language-server
script in the project that sets up the environment correctly (in particular, executes it in the correct nix-shell). This worked well up until 1.3.0, when theserverExecutablePath
was set to have only "machine" scope and thus must be configured globally.The ostensible reason for this change is to prevent somebody from causing arbitrary script execution, but this seems weak - if you're compiling code I have control over, I can do this just as easily through a TH splice. So I'd like to request that this change be reverted.
The text was updated successfully, but these errors were encountered: