security: restrict webview executeCommand bridge to snyk.* namespace

nick-y-snyk · nick-y-snyk · commit 1e8502eb2954 · 2026-03-26T11:44:57.000+01:00
Prevents XSS-to-arbitrary-command escalation by rejecting any command
not prefixed with "snyk." before it reaches the Language Server.
diff --git a/Snyk.VisualStudio.Extension.2022/UI/Html/ExecuteCommandBridge.cs b/Snyk.VisualStudio.Extension.2022/UI/Html/ExecuteCommandBridge.cs
@@ -37,6 +37,13 @@ public static class ExecuteCommandBridge
         public static bool IsValidCallbackId(string callbackId) =>
             CallbackIdPattern.IsMatch(callbackId ?? string.Empty);
 
+        /// <summary>
+        /// Returns true if <paramref name="command"/> is in the <c>snyk.*</c> namespace and may be
+        /// dispatched from a webview.
+        /// </summary>
+        public static bool IsAllowedCommand(string command) =>
+            !string.IsNullOrEmpty(command) && command.StartsWith("snyk.");
+
         /// <summary>
         /// Returns the ES5-compatible JavaScript that defines <c>window.__ideExecuteCommand__</c>.
         /// Assumes <c>window.external.__ideExecuteCommand__(command, argsJson, callbackId)</c>
@@ -73,6 +80,12 @@ public static async Task DispatchAsync(
         {
             try
             {
+                if (!IsAllowedCommand(command))
+                {
+                    Logger.Warning("Webview attempted to execute disallowed command: {Command}", command);
+                    return;
+                }
+
                 var args = string.IsNullOrEmpty(argsJson)
                     ? Array.Empty<object>()
                     : JsonConvert.DeserializeObject<object[]>(argsJson);
diff --git a/Snyk.VisualStudio.Extension.Tests/UI/Html/ExecuteCommandBridgeTest.cs b/Snyk.VisualStudio.Extension.Tests/UI/Html/ExecuteCommandBridgeTest.cs
@@ -66,5 +66,25 @@ public void IsValidCallbackId_RejectsInvalidFormats(string callbackId)
         {
             Assert.False(ExecuteCommandBridge.IsValidCallbackId(callbackId));
         }
+
+        [Theory]
+        [InlineData("snyk.login", true)]
+        [InlineData("snyk.logout", true)]
+        [InlineData("snyk.navigateToRange", true)]
+        [InlineData("snyk.anyCommand", true)]
+        public void IsAllowedCommand_AllowsSnykPrefixedCommands(string command, bool expected)
+        {
+            Assert.Equal(expected, ExecuteCommandBridge.IsAllowedCommand(command));
+        }
+
+        [Theory]
+        [InlineData("workbench.action.terminal.new")]
+        [InlineData("vscode.open")]
+        [InlineData("")]
+        [InlineData(null)]
+        public void IsAllowedCommand_RejectsNonSnykCommands(string command)
+        {
+            Assert.False(ExecuteCommandBridge.IsAllowedCommand(command));
+        }
     }
 }
