|
| 1 | +--- |
| 2 | +layout: default |
| 3 | +title: Security |
| 4 | +nav_order: 25 |
| 5 | +--- |
| 6 | + |
| 7 | +This page documents potential risks when using the Ruby LSP VS Code extension and the Ruby LSP language server with untrusted code. |
| 8 | + |
| 9 | +## Trust Model |
| 10 | + |
| 11 | +**Ruby LSP assumes that all code in your workspace is trusted.** |
| 12 | + |
| 13 | +When you open a project with Ruby LSP, the extension and language server will execute code from that project as part of |
| 14 | +normal operation. This is fundamentally similar to running `bundle install` in that project directory. |
| 15 | + |
| 16 | +If you are working with code you do not fully trust, you should be aware of the potential risks documented below. |
| 17 | + |
| 18 | +## Code Execution Vectors |
| 19 | + |
| 20 | +The following is a non-exhaustive list of ways that Ruby LSP may execute code from your workspace: |
| 21 | + |
| 22 | +### Bundle Installation |
| 23 | + |
| 24 | +Ruby LSP automatically runs `bundle install` (or `bundle check`) when starting up or when detecting changes to your |
| 25 | +Gemfile. This will: |
| 26 | + |
| 27 | +- Execute any code in your Gemfile (Gemfiles are Ruby code) |
| 28 | +- Install gems specified in the Gemfile, which may include native extensions that execute during installation |
| 29 | +- Run any post-install hooks defined by gems |
| 30 | + |
| 31 | +### Add-ons / Plugins |
| 32 | + |
| 33 | +Ruby LSP has an add-on system that automatically discovers and loads add-ons from: |
| 34 | + |
| 35 | +- Gems in your bundle that contain `ruby_lsp/**/addon.rb` files |
| 36 | +- Files matching `ruby_lsp/**/addon.rb` anywhere in your workspace |
| 37 | + |
| 38 | +Add-ons are loaded via `require` and their `activate` method is called, allowing them to execute arbitrary Ruby code. |
| 39 | +This is by design - add-ons can spawn processes, make network requests, or perform any other operation. |
| 40 | + |
| 41 | +## Recommendations |
| 42 | + |
| 43 | +1. **Only open trusted projects** - Treat opening a project in VS Code with Ruby LSP the same as running `bundle install` |
| 44 | + in that directory |
| 45 | +2. **Be cautious with unfamiliar add-ons** - Add-ons have full access to your system when activated |
| 46 | + |
| 47 | +## Reporting Security Issues |
| 48 | + |
| 49 | +If you discover a security vulnerability in Ruby LSP, please report it through |
| 50 | +[GitHub Security Advisories](https://github.com/Shopify/ruby-lsp/security/advisories/new) rather than opening a public |
| 51 | +issue. |
0 commit comments