As a consumer of Visual Studio Marketplace extensions, I frequently find myself wondering if this or that nice little add-on might be a security problem. For example, maybe it uploads my code somewhere. Is this a risk I simply have to take? Is this somehow checked? In the case of a popular add-on, would it be reasonable to assume that if it did do something like that, someone would have noticed?
Asked
Active
Viewed 1,363 times
1 Answers
5
Are Visual Studio Extensions audited?
No. Extensions are not audited by default. This Walkthrough describes the process of publishing an extension. As can be seen in step 9, the extension can be immediately published after the upload has completed.
How can I check what an extension does?
Visual Studio Extensions are delivered in the VSIX format, which is an archive format that can be extracted using 7zip. Technically, it is an OPC file as described here.
The archive itself contains several files to describe the extension, as well as a .DLL file with the actual code. From there on, you are reverse-engineering a .NET library like any other.
Can I trust that other people would do it for me?
Possibly, but you can never be 100% sure. Statistically, it's more likely that an extension that does one tiny thing and has 1 million downloads has been looked at by someone, than an extension that does God-knows-what and has 23 downloads.
However, you then essentially just shift the problem, and ask yourself how much you can trust those random strangers, as opposed to a different set of random strangers.
What can I do if I find a malicious extension?
When you look at the Visual Studio Extension Marketplace, you see a report button on the right side of the screen:
This is actually a mailto:// link to the address vsmarketplace@microsoft.com, where they ask you to provide a brief description of the issue. I never had to report an extension myself, so I cannot make a statement if any how quickly they would respond to an issue.