|
| 1 | +--- |
| 2 | +layout: default |
| 3 | +title: Security |
| 4 | +nav_order: 25 |
| 5 | +--- |
| 6 | + |
| 7 | +# Security |
| 8 | + |
| 9 | +This page documents potential risks when using the Ruby LSP VS Code extension and the Ruby LSP language server with untrusted code. |
| 10 | + |
| 11 | +## Trust Model |
| 12 | + |
| 13 | +**Ruby LSP assumes that all code in your workspace is trusted.** |
| 14 | + |
| 15 | +When you open a project with Ruby LSP, the extension and language server will execute code from that project as part of |
| 16 | +normal operation. This is fundamentally similar to running `bundle install` in that project directory. |
| 17 | + |
| 18 | +If you are working with code you do not fully trust, you should be aware of the potential risks documented below. |
| 19 | + |
| 20 | +## Code Execution Vectors |
| 21 | + |
| 22 | +The following is a non-exhaustive list of ways that Ruby LSP may execute code from your workspace: |
| 23 | + |
| 24 | +### Bundle Installation |
| 25 | + |
| 26 | +Ruby LSP automatically performs bundler operations (e.g. `bundle install`, `bundle update`) when starting up or when detecting changes to your |
| 27 | +Gemfile. This will: |
| 28 | + |
| 29 | +- Execute any code in your Gemfile (Gemfiles are Ruby code) |
| 30 | +- Install gems specified in the Gemfile, which may include native extensions that execute during installation |
| 31 | +- Run any post-install hooks defined by gems |
| 32 | + |
| 33 | +### Add-ons / Plugins |
| 34 | + |
| 35 | +Ruby LSP has an add-on system that automatically discovers and loads add-ons from: |
| 36 | + |
| 37 | +- Gems in your bundle that contain `ruby_lsp/**/addon.rb` files |
| 38 | +- Files matching `ruby_lsp/**/addon.rb` anywhere in your workspace |
| 39 | + |
| 40 | +Add-ons are loaded via `require` and their `activate` method is called, allowing them to execute arbitrary Ruby code. |
| 41 | +This is by design - add-ons can spawn processes, make network requests, or perform any other operation. |
| 42 | + |
| 43 | +## Recommendations |
| 44 | + |
| 45 | +1. **Understand what "Trust" means** - Trusting a project with Ruby LSP installed is equivalent to feeling comfortable running `bundle install` in that directory. |
| 46 | +2. **Understand [VS Code's Workspace Trust](https://code.visualstudio.com/docs/editor/workspace-trust)** - When opening unfamiliar projects, click "Don't Trust" on the workspace trust prompt. |
| 47 | + Ruby LSP will not run in untrusted workspaces, eliminating any risk. |
| 48 | +3. **Be cautious with unfamiliar add-ons** - Add-ons have full access to your system when activated. |
| 49 | + |
| 50 | +## Reporting Security Issues |
| 51 | + |
| 52 | +If you discover a security vulnerability in Ruby LSP, please report it through |
| 53 | +[GitHub Security Advisories](https://github.com/Shopify/ruby-lsp/security/advisories/new) rather than opening a public |
| 54 | +issue. |
0 commit comments