@@ -79,6 +79,20 @@ async function tryPkexec(
7979async function spawnWithSudoPassword (
8080 options : SpawnElevatedLinuxOptions ,
8181) : Promise < { cancelled : boolean } > {
82+ // Security note: This approach is less secure than pkexec because:
83+ // - Password flows through VS Code → Node.js → child process stdin (more attack surface)
84+ // - Password briefly exists in application memory (vulnerable to memory dumps)
85+ // - Potential attack vector: A malicious VS Code extension could theoretically intercept
86+ // the password by hooking into Node.js I/O streams or reading process memory
87+ // (though VS Code's extension sandbox provides some isolation)
88+ //
89+ // However, this is acceptable because:
90+ // - We only use this when pkexec is unavailable (systems without desktop environment)
91+ // - Password is masked in input, never logged, and passed via stdin only
92+ // - Password is not stored/cached and is disposed immediately
93+ // - This is a one-time installation operation, not continuous privileged access
94+ //
95+ // Alternative: complete installation failure on systems without polkit agents
8296 const password = await vscode . window . showInputBox ( {
8397 prompt : "Enter your sudo password" ,
8498 password : true ,
@@ -108,6 +122,11 @@ async function spawnWithSudoPassword(
108122 } ) ;
109123
110124 // Write password to stdin and close it
125+ // Note: We use stdin rather than command-line arguments because:
126+ // - Command-line args are visible in process listings (eg ps aux)
127+ // - stdin prevents the password from appearing in logs or shell history
128+ // - stdin data is not visible to other users on the system
129+ // However, the password still exists briefly in our process memory and the pipe buffer
111130 child . stdin . write ( `${ password } ) ;
112131 child . stdin . end ( ) ;
113132
0 commit comments