[openvsx-dev] Mitigation for security vulnerability in publish-extension

[Thomas Neidhart <thomas.neidhart@xxxxxxxxxxxxxxxxxxxxxx>]

Hi,

a while ago we received a vulnerability report about our repository to automatically publish certain extensions. The publishing mechanism relies on a specific privileged account that can publish to any namespace.

Due to a zip confusion attack, a malicious actor could trick the process to upload an extension with the privileged user while the actual open-vsx.org instance assumes a different namespace / extension as it uses a different zip reading code.

We did disable the automatic publishing mechanism asap, and would like to apply the following mitigation to this attack vector: https://github.com/EclipseFdn/publish-extensions/pull/1061

This will prevent publishing extensions that have multiple extension.vsixmanifest files in them.

It is intended as a quick workaround to allow us to re-enable the automatic publishing again.

The long term fix will be that for publishing with a privileged user account, the namespace and extension should be part of the request so that the server can validate that the information present in the manifest matches the expected data.

Please take a look at the PR and provide comments.

Thanks,

Thomas