fix: restrict VSCode settings access and improve type safety

Eric Wheeler · Eric Wheeler · commit 2d209b038f19 · 2025-05-01T00:09:21.000-07:00
- Add allowlist for VSCode settings that can be modified
- Add validation and error handling for setting updates
- Revert value field to number-only type
- Add dedicated vscodeSettingValue field with unknown type

Signed-off-by: Eric Wheeler &lt;roo-code@z.ewheeler.org&gt;
diff --git a/src/core/webview/webviewMessageHandler.ts b/src/core/webview/webviewMessageHandler.ts
@@ -592,11 +592,21 @@ export const webviewMessageHandler = async (provider: ClineProvider, message: We
 			await updateGlobalState("fuzzyMatchThreshold", message.value)
 			await provider.postStateToWebview()
 			break
-		case "updateVSCodeSetting":
+		case "updateVSCodeSetting": {
+			// Allowlist of VSCode settings that can be updated
+			// Add new settings here when needed for future expansion
+			const ALLOWED_VSCODE_SETTINGS = ["terminal.integrated.inheritEnv"] as const
+
 			if (message.setting && message.value !== undefined) {
+				if (!ALLOWED_VSCODE_SETTINGS.includes(message.setting as (typeof ALLOWED_VSCODE_SETTINGS)[number])) {
+					provider.log(`Attempted to update restricted VSCode setting: ${message.setting}`)
+					vscode.window.showErrorMessage(`Cannot update restricted VSCode setting: ${message.setting}`)
+					break
+				}
 				await vscode.workspace.getConfiguration().update(message.setting, message.value, true)
 			}
 			break
+		}
 		case "getVSCodeSetting":
 			if (message.setting) {
 				try {
@@ -608,6 +618,7 @@ export const webviewMessageHandler = async (provider: ClineProvider, message: We
 						type: "vsCodeSetting",
 						setting: message.setting,
 						error: `Failed to get setting: ${error.message}`,
+						value: undefined,
 					})
 				}
 			}
diff --git a/src/shared/ExtensionMessage.ts b/src/shared/ExtensionMessage.ts
@@ -107,6 +107,7 @@ export interface ExtensionMessage {
 	error?: string
 	setting?: string
 	value?: any
+	vscodeSettingValue?: unknown
 }
 
 export type ExtensionState = Pick<
diff --git a/src/shared/WebviewMessage.ts b/src/shared/WebviewMessage.ts
@@ -136,7 +136,8 @@ export interface WebviewMessage {
 	apiConfiguration?: ApiConfiguration
 	images?: string[]
 	bool?: boolean
-	value?: number | boolean | any // Allow number for most messages, boolean for VSCode settings
+	value?: number
+	vscodeSettingValue?: unknown
 	commands?: string[]
 	audioType?: AudioType
 	serverName?: string

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ export interface ExtensionMessage {`
`107`	`107`	`error?: string`
`108`	`108`	`setting?: string`
`109`	`109`	`value?: any`
	`110`	`+ vscodeSettingValue?: unknown`
`110`	`111`	`}`
`111`	`112`
`112`	`113`	`export type ExtensionState = Pick<`