Comment by ollien

Comment by ollien 15 hours ago

6 replies

View on Hacker News

A coworker raised an interesting point to me. The CORS fix removes exploitation by arbitrary websites (but obviously allows full access from the opencode domain), but let's take that piece out for a second...

What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.

Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?

mirashii 11 hours ago

Neovim’s server defaults to named pipes or domain sockets, which do not have this issue. The documentation states that the TCP option is insecure.

VS Code’s ssh daemon is authenticated.

Reply View 4 replies
  • ollien 11 hours ago

    > Neovim’s server defaults to named pipes or domain sockets, which do not have this issue. The documentation states that the TCP option is insecure.

    Good note on pipes / domain sockets, but it doesn't appear there's a "default", and the example in the docs even uses TCP, despite the warning below it.

    https://neovim.io/doc/user/api.html#rpc-connecting

    (EDIT: I guess outside of headless mode it uses a named pipe?)

    > VS Code’s ssh daemon is authenticated.

    How is it authenticated? I went looking briefly but didn't turn up much; obviously there's the ssh auth itself but if you have access to the remote, is there an additional layer of auth stopping anyone from executing code via the daemon?

    Reply View 3 replies
    • mirashii 6 hours ago

      > but it doesn't appear there's a "default"

      From the page you linked: Nvim creates a default RPC socket at startup, given by v:servername.

      You can follow the links on v:servername to read more about the startup process and figure out what that is, but tl;dr, it's a named pipe unless you override it.

      Reply View 1 reply
      • ollien 3 hours ago

        Yep yep, makes sense. I was thinking about it running in headless mode (i.e. with --listen)

        Reply View 0 replies
winstonwinston 12 hours ago

If you have a localhost server that uses a client input to execute code without authentication, that’s a local code execution vulnerability at the very least. It becomes a RCE when you find a way to reach local server over the wire, such as via browser http request.

I don’t use VSCode you have mentioned so i don’t know how it is implemented but one can guess that it is implemented with some authentication in mind.

Reply View 0 replies