From 1603db023e1f2ae831eb88f80051a5471ae87e08 Mon Sep 17 00:00:00 2001 From: Stan Lo Date: Tue, 27 Jan 2026 22:05:27 +0000 Subject: [PATCH 1/2] Add security documentation --- jekyll/security.markdown | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 jekyll/security.markdown diff --git a/jekyll/security.markdown b/jekyll/security.markdown new file mode 100644 index 000000000..bf2bc8f19 --- /dev/null +++ b/jekyll/security.markdown @@ -0,0 +1,54 @@ +--- +layout: default +title: Security +nav_order: 25 +--- + +# Security + +This page documents potential risks when using the Ruby LSP VS Code extension and the Ruby LSP language server with untrusted code. + +## Trust Model + +**Ruby LSP assumes that all code in your workspace is trusted.** + +When you open a project with Ruby LSP, the extension and language server will execute code from that project as part of +normal operation. This is fundamentally similar to running `bundle install` in that project directory. + +If you are working with code you do not fully trust, you should be aware of the potential risks documented below. + +## Code Execution Vectors + +The following is a non-exhaustive list of ways that Ruby LSP may execute code from your workspace: + +### Bundle Installation + +Ruby LSP automatically performs bundler operations (e.g. `bundle install`, `bundle update`) when starting up or when detecting changes to your +Gemfile. This will: + +- Execute any code in your Gemfile (Gemfiles are Ruby code) +- Install gems specified in the Gemfile, which may include native extensions that execute during installation +- Run any post-install hooks defined by gems + +### Add-ons / Plugins + +Ruby LSP has an add-on system that automatically discovers and loads add-ons from: + +- Gems in your bundle that contain `ruby_lsp/**/addon.rb` files +- Files matching `ruby_lsp/**/addon.rb` anywhere in your workspace + +Add-ons are loaded via `require` and their `activate` method is called, allowing them to execute arbitrary Ruby code. +This is by design - add-ons can spawn processes, make network requests, or perform any other operation. + +## Recommendations + +1. **Understand what "Trust" means** - Trusting a project with Ruby LSP installed is equivalent to feeling comfortable running `bundle install` in that directory. +2. **Understand [VS Code's Workspace Trust](https://code.visualstudio.com/docs/editor/workspace-trust)** - When opening unfamiliar projects, click "Don't Trust" on the workspace trust prompt. + Ruby LSP will not run in untrusted workspaces, eliminating any risk. +3. **Be cautious with unfamiliar add-ons** - Add-ons have full access to your system when activated. + +## Reporting Security Issues + +If you discover a security vulnerability in Ruby LSP, please report it through +[GitHub Security Advisories](https://github.com/Shopify/ruby-lsp/security/advisories/new) rather than opening a public +issue. From 08dd26f6f4395d6a851f8bdf675b5ca9dfd943c6 Mon Sep 17 00:00:00 2001 From: Stan Lo Date: Wed, 28 Jan 2026 16:06:49 +0000 Subject: [PATCH 2/2] Update jekyll/security.markdown Co-authored-by: Vinicius Stock --- jekyll/security.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jekyll/security.markdown b/jekyll/security.markdown index bf2bc8f19..f34bbd95c 100644 --- a/jekyll/security.markdown +++ b/jekyll/security.markdown @@ -10,7 +10,7 @@ This page documents potential risks when using the Ruby LSP VS Code extension an ## Trust Model -**Ruby LSP assumes that all code in your workspace is trusted.** +**Ruby LSP assumes that all code in your workspace (including dependencies) is trusted.** When you open a project with Ruby LSP, the extension and language server will execute code from that project as part of normal operation. This is fundamentally similar to running `bundle install` in that project directory.