How can code opened in a container execute arbitrary code outside the container?
I generally work inside of docker containers both to keep my local environment clean, and to sandbox. However, when I use VSCode Remote Containers to try to open a folder in a container I am told:
Opening a folder in a Dev Container may execute arbitrary code both inside and outside the container.
The docs link, unfortunately, only talks about Workspace Trust in general and don't mention anything about the risks around containers.
What are the specific risks that I'm taking on by clicking "Trust Folder & Continue" when working inside a dev container? What attack vectors am I opening myself up to by clicking Trust here? Is there anything I can do within VSCode to mitigate the risks beyond working inside of a container (e.g., can I disable some specific feature(s))?
This made me very curious what may go wrong, and I have found some ways to get outside without user interaction
1. Abuse tasks.json
I thing it very cool feature may because of "runOn": "folderOpen" can lead to arbitrary code execution on the host, take a look on this example
{
"version": "2.0.0",
"tasks": [
{
"label": "start browser",
"type": "shell",
"command": "C:\\Progra~1\\Google\\Chrome\\Application\\chrome.exe https://stackoverflow.com",
"runOptions": {
"runOn": "folderOpen"
},
"dependsOn": ["back"]
},
{
"label": "back",
"command": "${command:remote-containers.reopenLocally}"
}
]
}
You may feel running tasks inside container is safe, BUT this one doing 2 things
- on open without user interaction trying to go back to local machine
- then open browser and opens stackoverflow.com
If just had to trust this folder then tasks with option "runOn": "folderOpen" will be triggered without your interaction
Another thing is that as your host Directory and one inside docker are always synchronized it may modify own files (including tasks.json) then try to execute it
2. Abuse features/docker-outside-of-docker
If you are running dev container you may be started with additional features, one of them is called docker-outside-of-docker
"features": {
"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}
}
If Dev Container is completely remote machine maybe your host won't be touched but machine where docker is running may be damaged
Then we can create task like
{
"label": "list host",
"type": "shell",
"command": "docker run --rm -v /:/host alpine whoami && cat /etc/passwd"
}
And execute anything on the host as root!
If we go to the documentation link that you talked about we can find there
Restricted Mode tries to prevent automatic code execution by disabling or limiting the operation of several VS Code features: tasks, debugging, workspace settings, and extensions.
You can clearly see that tasks are disabled along with other VS Code features that can probably lead to arbitrary code execution.
I didn't try but looking how launch.json looks like you can also see that any shell code can be executed, so even without tasks but with Docker host access can damage it, and even without this container has an access your local network and try attack your Router, Printer or other PC if they have some port open, I know it's becoming long chain but possible, take a look at Operation Triangulation: The last (hardware) mystery especially this image
So as devcontainer.json, tasks.json and launch.json are inside workspace and contain executable code they have to be trusted
- Cannot edit in read-only editor VS Code
- Why is cmd with switch /c not working from File Explorer address bar as expected with closing console window after start of VS Code?
- Completely uninstall VS Code extensions
- Configure launch.json and tasks.json to debug different C# projects in Vscode
- VSCode - EsLint warning "Classname is not a Tailwind CSS class" shown mistakenly
- Disable ALL Auto Formatting on Save in VSCode
- c/c++ extension downloading for long time in vscode
- In Visual Studio Code Ctrl+V is not working
- vscode find opened file in files sidebar
- How can I create a custom keybinding to change syntax highlighting to a specific language in Visual Studio Code?
- Navigate to Ruby function definition in VS Code
- Use "Go to symbol" and "Go to symbol in workspace" in VS Code for Ruby
- How to fix Command "code-runner.run" not found
- How to install dependencies using pip install in VS Code on macOS Catalina
- How to install VS Code in Alpine Linux
- How do I get homebrew installed packages to be accepted by VSCode?
- Why is font size in VS Code and VS IDE different, despite having the same values?
- Error "end of central directory record signature not found" while installing ionide-fsharp in vscode
- How do I change VS Code Settings to use JetBrains Mono Font
- How do I use Qt in Visual Studio Code?
- @node_modules keeps showing in Visual Studio Code auto import and suggesions in Nextjs 15
- VS Code removes trailing commas when saving dart files for new projects
- VSCode does not do auto formatting on save - Go
- GitHub Copilot Extension Chat function not appearing in VSCode
- Visual Studio Code cannot detect installed Git
- VS Code Extension: How do you set an order/priority to the extension's settings/configurations?
- Have a bat file install Visual Studio Code and add VS Code to file explorer context menu
- #include errors detected in vscode
- How can I use the .NET MAUI extension for VS Code to debug on my iOS/Android devices or simulators?
- C++ Segmentation fault on Hello World, cin and cout