Merge pull request #220 from NewtonDer/fix-vscode-remote-resource-1.6

Add patch to validate referer for vscode-remote-resource API

Author: NewtonDer

patched-vscode/src/vs/server/node/remoteExtensionHostAgentServer.ts

@@ -139,6 +139,13 @@ class RemoteExtensionHostAgentServer extends Disposable implements IServerAPI {
 		if (pathname === '/vscode-remote-resource') {
 			// Handle HTTP requests for resources rendered in the rich client (images, fonts, etc.)
 			// These resources could be files shipped with extensions or even workspace files.
+			if (req.headers.referer && req.headers.host) {
+				const parsedRefererUrl = url.parse(req.headers.referer, true);
+				if (parsedRefererUrl.host !== req.headers.host) {
+					return serveError(req, res, 403, `Forbidden.`);
+				}
+			}
+
 			const desiredPath = parsedUrl.query['path'];
 			if (typeof desiredPath !== 'string') {
 				return serveError(req, res, 400, `Bad request.`);

patches/series

@@ -19,3 +19,4 @@ post-startup-notifications.patch
 sagemaker-extensions-sync.patch
 display-language.patch
 custom-extensions-marketplace.diff
+validate-http-request-referer.patch

patches/validate-http-request-referer.patch

@@ -0,0 +1,18 @@
+Index: sagemaker-code-editor/vscode/src/vs/server/node/remoteExtensionHostAgentServer.ts
+===================================================================
+--- sagemaker-code-editor.orig/vscode/src/vs/server/node/remoteExtensionHostAgentServer.ts
++++ sagemaker-code-editor/vscode/src/vs/server/node/remoteExtensionHostAgentServer.ts
+@@ -139,6 +139,13 @@ class RemoteExtensionHostAgentServer ext
+ 		if (pathname === '/vscode-remote-resource') {
+ 			// Handle HTTP requests for resources rendered in the rich client (images, fonts, etc.)
+ 			// These resources could be files shipped with extensions or even workspace files.
++			if (req.headers.referer && req.headers.host) {
++				const parsedRefererUrl = url.parse(req.headers.referer, true);
++				if (parsedRefererUrl.host !== req.headers.host) {
++					return serveError(req, res, 403, `Forbidden.`);
++				}
++			}
++
+ 			const desiredPath = parsedUrl.query['path'];
+ 			if (typeof desiredPath !== 'string') {
+ 				return serveError(req, res, 400, `Bad request.`);