docs(llm-security): add JetBrains sections to ide-extension-threat-patterns
This commit is contained in:
Kjell Tore Guttormsen
parent
a86ca00960
commit
31c7e91665
1 changed files with 116 additions and 3 deletions
|
|
@ -7,8 +7,10 @@ Research brief: `/Users/ktg/.claude/plans/research-ide-extension-prescan.md`.
|
|||
|
||||
## Scope
|
||||
|
||||
MVP (v6.3.0): VS Code + forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH).
|
||||
IntelliJ plugins deferred to v1.1 — JetBrains manual-review + opt-in signing reduces public case-study volume.
|
||||
VS Code + forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH) and
|
||||
JetBrains/IntelliJ plugins (IntelliJ IDEA, PyCharm, WebStorm, GoLand, Rider, CLion,
|
||||
PhpStorm, RubyMine, DataGrip, DataSpell, RustRover, Aqua, Gateway, and Android Studio).
|
||||
JetBrains discovery shipped in v6.6.0.
|
||||
|
||||
## 1. Blocklist Match (CRITICAL)
|
||||
|
||||
|
|
@ -105,9 +107,114 @@ Detected by MEM scanner on extension `README.md` and `CHANGELOG.md`.
|
|||
|
||||
**OWASP:** LLM01.
|
||||
|
||||
## 11. JetBrains Plugin Format (informational)
|
||||
|
||||
**Layout:** JetBrains plugins distribute as a ZIP or JAR. Installed plugins on disk
|
||||
are already extracted by the IDE (directory form). A sideloaded URL download is a
|
||||
single ZIP with layout `<artifact>/lib/<main>.jar + lib/<dep>.jar`. The authoritative
|
||||
manifest `META-INF/plugin.xml` lives **inside the main JAR in `lib/`**, not at the
|
||||
ZIP root. `META-INF/MANIFEST.MF` lives in each individual JAR.
|
||||
|
||||
Scanner strategy: walk `lib/*.jar`, open each as a nested ZIP, read `plugin.xml`
|
||||
from the first JAR that contains one, then parse `MANIFEST.MF` from every JAR for
|
||||
`Premain-Class` and coordinates (`Implementation-Title`, `Bundle-SymbolicName`).
|
||||
|
||||
**Source:** https://plugins.jetbrains.com/docs/intellij/plugin-content.html.
|
||||
|
||||
## 12. JetBrains Broad Activation (HIGH / MEDIUM)
|
||||
|
||||
**Signals (ranked):**
|
||||
|
||||
- **HIGH:** `<application-components>` present (legacy, loads at IDE start, blocks
|
||||
dynamic reload) OR an `AppLifecycleListener` registered via
|
||||
`<applicationListener topic="...AppLifecycleListener"/>` with an `appStarted`
|
||||
handler. Equivalent to "run code at IDE startup."
|
||||
- **MEDIUM:** `<postStartupActivity>` or `<backgroundPostStartupActivity>` — runs
|
||||
once shortly after project open. Common in legitimate plugins but still a
|
||||
capability signal.
|
||||
- **MEDIUM:** `applicationService` with `preload="true"` — forces early
|
||||
instantiation at IDE load.
|
||||
|
||||
**Case:** CVE-2024-37051 (JetBrains GitHub integration, June 2024) exfiltrated
|
||||
GitHub access tokens via malicious pull request content — required no user
|
||||
interaction once opened, abusing startup-time hooks.
|
||||
|
||||
**OWASP:** LLM06 (Excessive Agency), ASI02.
|
||||
|
||||
## 13. Theme-with-Code (JetBrains) (HIGH)
|
||||
|
||||
**Signal:** `plugin.xml` declares `<themeProvider>` AND any of:
|
||||
`applicationService`, `projectService`, `action`, `applicationListener`,
|
||||
`projectListener`, `postStartupActivity`, `<application-components>`.
|
||||
|
||||
**Rationale:** A pure JetBrains theme (LAF — look-and-feel) needs only a
|
||||
`themeProvider` + a `.theme.json` resource. Bundling services/actions/listeners on
|
||||
a theme mirrors the VS Code "A Wolf in Dark Mode" pattern and is a strong red flag.
|
||||
|
||||
**OWASP:** LLM06, ASI02.
|
||||
|
||||
## 14. Java Agent — Premain-Class (HIGH)
|
||||
|
||||
**Signal:** Any JAR in `lib/` has `Premain-Class: <fqcn>` in `META-INF/MANIFEST.MF`.
|
||||
|
||||
**Rationale:** `Premain-Class` registers a Java agent, giving bytecode-instrumentation
|
||||
authority over the IDE JVM (hook every class load, rewrite methods, intercept
|
||||
reflection). No legitimate third-party IntelliJ plugin needs this. If present
|
||||
together with `Can-Redefine-Classes: true` or `Can-Retransform-Classes: true`,
|
||||
severity is CRITICAL.
|
||||
|
||||
**Reference:** Log4Shell 2021 retrospective and subsequent JVM attacks highlight
|
||||
`Premain-Class` as a persistent instrumentation vector.
|
||||
|
||||
**OWASP:** LLM06, ASI04.
|
||||
|
||||
## 15. Native Binary Bundling (MEDIUM / HIGH)
|
||||
|
||||
**Signal:** `.dll`, `.so`, `.dylib`, `.exe` file inside any JAR in `lib/` or in
|
||||
the plugin directory tree.
|
||||
|
||||
**Rationale:** Bundled native binaries escape JVM sandboxing and cannot be audited
|
||||
by JVM-level scanners. Legitimate uses exist (native filesystem watchers, DB
|
||||
drivers) but are rare — most plugins should be pure JVM bytecode. Severity is
|
||||
MEDIUM by default, HIGH when combined with Java-agent signal (#14) or broad
|
||||
activation (#12).
|
||||
|
||||
**Case:** OX Security 2025 research on JetBrains Marketplace demonstrated that
|
||||
signed plugins can still bundle arbitrary native payloads — the verified badge
|
||||
attests publisher identity, not plugin safety.
|
||||
|
||||
**OWASP:** LLM03, ASI04.
|
||||
|
||||
## 16. Legacy `<application-components>` (MEDIUM advisory)
|
||||
|
||||
**Signal:** `plugin.xml` uses the deprecated `<application-components>`,
|
||||
`<project-components>`, or `<module-components>` elements instead of modern
|
||||
`<applicationService>` / `<extensions defaultExtensionNs="com.intellij">`.
|
||||
|
||||
**Rationale:** Deprecated since 2020. Plugins that use components cannot be
|
||||
dynamically loaded/unloaded and force a restart on install, bypassing IDE-managed
|
||||
hot-reload safety. Often found together with other legacy red flags.
|
||||
|
||||
**OWASP:** LLM06.
|
||||
|
||||
## 17. Shaded/Uncoordinated JARs (MEDIUM)
|
||||
|
||||
**Signal:** JAR in `lib/` has no recognisable coordinates (`Implementation-Title`,
|
||||
`Bundle-SymbolicName`, `Implementation-Version` absent from `MANIFEST.MF`) OR
|
||||
class files appear under shaded package prefixes (`com.company.shaded.*`,
|
||||
`plugin.relocated.*`).
|
||||
|
||||
**Rationale:** Uncoordinated or shaded JARs cannot be mapped to an OSV or Maven
|
||||
Central entry, so transitive-dependency auditing is impossible. YouTrack
|
||||
IJPL-212393 confirms JetBrains cannot reliably identify shaded library content
|
||||
either, so the signature-warning UI sometimes emits no warning at all.
|
||||
|
||||
**OWASP:** LLM03, ASI04.
|
||||
|
||||
## Known Limitations
|
||||
|
||||
- No bytecode analysis of IntelliJ JARs (v1.1+)
|
||||
- No runtime bytecode analysis — JARs are inspected as ZIPs and via MANIFEST.MF
|
||||
only. Method-level instrumentation detection is out of scope.
|
||||
- No VSIX extraction (pass extracted directory instead)
|
||||
- No Marketplace API lookups without `--online` flag (publisher age, download count, verified status unavailable offline)
|
||||
- Profile-specific extension filtering not implemented (all installed extensions are scanned)
|
||||
|
|
@ -121,3 +228,9 @@ Detected by MEM scanner on extension `README.md` and `CHANGELOG.md`.
|
|||
- VS Code Extension Manifest — https://code.visualstudio.com/api/references/extension-manifest
|
||||
- ExtensionTotal — https://extensiontotal.com (closed-source, compatible reference)
|
||||
- OSV schema — confirms no `VSCodeMarketplace` ecosystem (verified 2026-04-17)
|
||||
- JetBrains plugin-content reference — https://plugins.jetbrains.com/docs/intellij/plugin-content.html
|
||||
- JetBrains plugin-configuration-file — https://plugins.jetbrains.com/docs/intellij/plugin-configuration-file.html
|
||||
- CVE-2024-37051 — JetBrains GitHub plugin token exfiltration (2024)
|
||||
- OX Security 2025 — JetBrains verified-badge bypass research
|
||||
- Log4Shell and JVM instrumentation retrospective (2021–2023)
|
||||
- YouTrack IJPL-212393 — JetBrains signature-warning inconsistency
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue