How to disable internet access for a particular vscode extension you don't trust

Question

VS Code is becoming more and more awesome all along with its crazy extensions, but with all that flexibility and awesomeness comes security and privacy risks.

Thus my question if at all it is possible to block a specific extension from accessing internet.

This question (as it's currently written) is a bit too broad for Stack Overflow's Q&A format. You should edit the question to limit it to avoid asking multiple distinct questions at once. — esqew, Sep 10 '19 at 15:52
@esqew why is it to broad ? it applies to a specific code editor and to a specific thing within that code editor i didn't mention any extension because the answer should be applicable for any extension given the type of problem. — Xsmael, Sep 10 '19 at 17:07
As I said, you're asking multiple distinct questions: "`[Is it] possible to block a specific extension...`" and "`[Can] a vscode extension...`" — esqew, Sep 10 '19 at 17:39

Scott McPeak · Accepted Answer · 2023-07-25T05:33:12.567

The answer appears to be no, you can't block extension network access:

VSCode Issue #52116: Extension Permissions, Security Sandboxing & Update Management Proposal remains open. There is recent commenter activity but I see no indication of action by the VSCode team.
The question How to fully disable network request from vs code(telemetry, updates, etc.) reports that setting the obvious switches does not stop VSCode from making network requests.
I made my own simple extension that used the http module to make an external network request and it worked.
I tried setting http.proxy to a bogus value in settings.json, and while that was effective at getting VSCode itself to fail at least one network operation, my test extension was unaffected.

Relatedly, one might ask if there is any system in place to detect or prevent malicious extension behavior. Again the answer seems to be no:

The question Security and Privacy of VSCode extensions and its answer basically seem to boil down to "run your own firewall".
The question How is VS Code Extension Security Handled? and its answer boil down to "Microsoft does nothing to ensure extensions are not malicious".
I have personally uploaded one extension to the Marketplace. I can report that it took about five minutes to appear there; not nearly long enough for anyone to have reviewed it. Furthermore, I inadvertently uploaded it before creating the github repo, but that didn't cause any problems, suggesting that the service does not do any checks to ensure what is on github matches what is in the extension.

Overall, I find this a scary situation. I do a few things to try to protect myself:

I try to stick to extensions that have a lot of downloads, and which have not been updated recently. I then have automatic update disabled. This way, everything I'm running has had some chance to be exposed as malicious before I use it.
The extensions are distributed as VSIX files, which are just ZIP files with a different file name suffix. If I am at all suspicious, I download it as a file first and poke around. Especially check the package.json scripts and the Typescript or Javascript source code (if there is any). That is of course far from foolproof but it's something.
It may also be worthwhile to check it with Virus Total.

How to disable internet access for a particular vscode extension you don't trust

1 Answers1