open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/commands/ide-scan.md
Kjell Tore Guttormsen fe0193956d feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0) 
Pre-installation verification of VS Code extensions via URL — fetch a remote
VSIX, extract it in a hardened sandbox, and run the existing IDE scanner
pipeline against it. No npm dependencies.

Sources:
- VS Code Marketplace (publisher.gallery.vsassets.io direct download)
- OpenVSX (open-vsx.org official API)
- Direct .vsix HTTPS URLs

Defenses:
- HTTPS-only, TLS verified, manual redirect with per-source host whitelist
- 30s total timeout via AbortController
- 50MB compressed cap, 500MB uncompressed, 100x expansion ratio
- Zero-dep ZIP extractor: zip-slip, absolute paths, drive letters, NUL bytes,
  symlinks (Unix mode 0xA000), depth limits, ZIP64 rejected, encrypted rejected
- SHA-256 streamed during fetch, surfaced in meta.source
- Temp dir cleanup in all paths (try/finally)

Files:
- scanners/lib/vsix-fetch.mjs (HTTPS fetcher, host whitelist, streaming SHA-256)
- scanners/lib/zip-extract.mjs (zero-dep parser with hardening caps)
- knowledge/marketplace-api-notes.md (endpoint reference)
- 3 test files (48 tests added: vsix-fetch, zip-extract, ide-extension-url)

Tests: 1296 → 1344 (all green).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 17:16:26 +02:00

4.4 KiB
Raw Blame History

name description allowed-tools model
security:ide-scan Scan installed VS Code / IntelliJ extensions for supply-chain risk, typosquats, obfuscation, and malicious patterns Read, Glob, Grep, Bash sonnet

/security ide-scan

Scan installed IDE extensions (VS Code + forks like Cursor/Windsurf/VSCodium/code-server; JetBrains is v1.1 stub).

Runs the IDE scanner plus reused scanners (UNI, ENT, NET, TNT, MEM, SCR) per extension. Offline by default.

Step 1: Run Scanner

Run the IDE extension scanner:

node <this plugin's scanners/ide-extension-scanner.mjs> [target]

Arguments (pass through as provided by the user):

  • [target] — one of:
    • omit, ., or all → discover all installed extensions
    • absolute path to an extracted extension directory → single-scan mode
    • https://marketplace.visualstudio.com/items?itemName=<publisher>.<name> → fetch from VS Code Marketplace
    • https://open-vsx.org/extension/<publisher>/<name>[/<version>] → fetch from OpenVSX
    • https://example.com/path/foo.vsix → direct VSIX download (HTTPS only)
    • GitHub repo URLs are NOT supported in v6.4.0 (would require build step)
  • --vscode-only / --intellij-only — restrict discovery
  • --include-builtin — include Microsoft builtin extensions (default: excluded)
  • --online — enable Marketplace/OSV.dev lookups (opt-in; default: fully offline)
  • --format compact|json — output format
  • --fail-on <severity> — exit 1 if findings at/above severity

URL mode notes:

  • Hardened ZIP extractor with caps: 50MB compressed, 500MB uncompressed, 100x expansion ratio, 10 000 entries, depth 20.
  • Rejects: zip-slip paths, symlink entries, absolute paths, drive letters, encrypted entries, ZIP64.
  • TLS verified, HTTPS only, 30s timeout. Cross-host redirects rejected.
  • Temp directory always cleaned up (success, error, abort).
  • meta.source in the envelope contains { type: "url", kind, url, finalUrl, sha256, size, publisher, name, version }.

Parse the JSON output. The result contains:

  • meta.scanner, meta.version, meta.target, meta.extensions_discovered (per type), meta.roots_scanned, meta.warnings
  • extensions[] — per-extension results with id, version, type, publisher, source, is_builtin, signed, scanner_results (IDE/UNI/ENT/NET/TNT/MEM/SCR), aggregate (counts, risk_score, risk_band, verdict), warnings
  • aggregate — top-level counts, risk_score, risk_band, verdict, extensions_total, extensions_blocked, extensions_warning

Step 2: Format Report

Present the results:

# IDE Extension Scan

| Field | Value |
|-------|-------|
| **Scanner** | ide-extension-scanner v[version] |
| **Target** | [target] |
| **Roots** | [comma-separated roots_scanned] |
| **Extensions** | [vscode] VS Code, [jetbrains] JetBrains |
| **Top Verdict** | [ALLOW/WARNING/BLOCK] |
| **Risk** | [risk_score]/100 ([risk_band]) |
| **Duration** | [duration_ms]ms |

## Counts

crit=[N] high=[N] medium=[N] low=[N] info=[N]

## Per-Extension Results

[One row per extension, sorted: BLOCK first, then WARNING, then ALLOW with findings]

| Extension | Version | Source | Verdict | Risk | Top Issue |
|-----------|---------|--------|---------|------|-----------|

Omit ALLOW rows with zero findings unless the user passed `--verbose`.

## Top Findings

[For each extension with verdict != ALLOW, list up to 3 findings as:
  - [SEV] [SCANNER]: title — file:line — recommendation]

## Warnings

[Any top-level or per-extension `warnings` entries, if present]

Step 3: Recommendations

  • aggregate.verdict === 'BLOCK': "One or more extensions are block-listed. Uninstall immediately — code --uninstall-extension <id>."
  • aggregate.verdict === 'WARNING': "High/medium findings detected. Review the Top Findings list. Audit suspicious extensions before continuing."
  • aggregate.verdict === 'ALLOW' and counts.info > 0: "Extensions look clean. Info-level findings are observational only."
  • aggregate.extensions_total === 0: "No extensions discovered. Run code --list-extensions to confirm, or pass a specific path."

If the user has many sideloaded (source=vsix) extensions: suggest re-installing from Marketplace where possible.

Notes

  • First run with no --online is fully offline.
  • JetBrains discovery is deferred to v1.1 (see knowledge/ide-extension-threat-patterns.md).
  • Pass a single extracted extension directory to scan just one extension.