Sure they can send requests but they can't receive them unless you've got misconfigured CORS. I guess there's DNS rebinding but like, idk, attack surface seems pretty small. This sort of stuff isn't really worth worrying about unless you're an idiot or likely to be the victim of a targeted attack. I happily run code off the internet all the time and it seems fine. If there's one thing that really seems like a mind virus it's the paranoia all security people get, I can't imagine living life like that. I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
Maybe I've just gotten lucky?
(i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
When you run VS Code, it spins up a local language server that is capable of making code changes. That is how refactoring python works in many editors (including VS Code).
A website that you're browsing could potentially send requests to this server asking for code to be inserted that fully compromises your device. What keeps us safe?
- maybe the website is only allowed to send GET requests, not PUT requests, and maybe the language servers that you're using are all "hardened" so that they will never permit mutations via any get requests, and never have a misconfigured CORS header
- the website has to guess the correct port and the correct language server with a known vulnerability
- any website doing this on a large scale would likely get the language server patched and the website on a block list
- there might be other safeguards that I'm not familiar with. For example, I believe that Chrome disallows this by default
So now, here's my frustration: these two statements seem hugely at odds with each other:
> I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
> (i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
I'm ok with a person who makes either statement. I'm also ok with a person who makes the first statement, and also wants their LAN locked down. However, I do not feel as though the a LAN ever needs to be locked down unless a person in running a server on the LAN network. Personal devices (like laptops and phones) are plenty capable of resisting malicious networks by default (coffee shops, university wifi, etc). What else is on a LAN?
> mind virus it's the paranoia all security people get
I generally agree with you, but I feel as though I am the one who has accepted that personal laptops need to handle malicious networks, and I'm generally comfortable with that. I don't worry too much about putting IoT devices on the same network as my personal laptop, nor about connecting to coffee shop wifis.
Maybe I've just gotten lucky?
(i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)