Is Websocket Text Relay safe?

Findings

Contains Vulnerability (CVSS Critical)

Flags items that contain or rely on components with critical severity vulnerabilities, as identified by sources such as Google OSV and NVD. These vulnerabilities may expose the item to exploitation, including risks like backdoors, privilege escalation, or data compromise.

medium

Unverified Publisher

Flags items published by entities that haven’t gone through the publisher verification process of the marketplace. Lack of verification may indicate higher risk, as the publisher’s identity and trustworthiness are unconfirmed.

medium

Contains Vulnerability (CVSS High)

Flags items that contain or rely on components with high-severity vulnerabilities, as identified by sources such as Google OSV and NVD. These vulnerabilities may expose the item to exploitation, including risks like backdoors, privilege escalation, or data compromise.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This Javascript code implements a VS Code extension that relays text document changes over WebSockets. Here's a breakdown:

Core Functionality:

Websocket Communication: The extension establishes a WebSocket connection to a server (defined in server.js).
Real-time Text Synchronization: It uses the vscode-languageclient library to synchronize text document changes between VS Code and the server.
Selective Synchronization: Only changes to files specified by the server are synchronized.

How it Works:

Activation (activate function):
- Logs an activation message.
- Reads configuration settings for the WebSocket server (command, arguments, network access permissions).
- Creates a LanguageClient instance to manage the WebSocket connection and communication with the server.
- Starts the client to establish the connection.
- Sets up event listeners for when text documents are opened or closed in VS Code.
- Sends an initial notification to the server with a list of currently open files.
Handling Open/Close Events:
- When a text document is opened or closed, the updateOpenFiles function is triggered.
- This function collects the file paths of all currently open documents in VS Code.
- It sends a notification (wtr/update-open-files) to the server with the updated list of open files.
Server-Controlled Synchronization:
- The server determines which files should have their changes synchronized.
- The server sends a notification (wtr/update-active-files) to the extension with a list of "active" files.
- The extension listens for this notification and calls the updateRegistrations function.
Updating Synchronized Files (updateRegistrations function):
- This function updates the LanguageClient's registrations to only synchronize changes for the specified "active" files.
- It first unregisters any previous registrations for the textDocument/didChange feature.
- Then, it registers the feature again with a document selector that only includes the "active" files.
Deactivation (deactivate function):
- Stops the LanguageClient to close the WebSocket connection when the extension is deactivated.

In essence: This extension acts as a bridge, allowing a server to selectively receive and potentially modify real-time text edits made in VS Code. The server controls which files are synchronized and can implement custom logic based on the received changes.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

Github

/extension/node_modules/eslint/README.md

Unverified

Github

/tmp/ext-XXXXXXS8zacH/extension/node_modules/eslint/README.md

Unverified

MongoDB

/tmp/ext-XXXXXXS8zacH/extension/node_modules/keyv/README.md

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-xvch-5gv4-984h

Prototype Pollution in minimist

CVSS:

9.8

GHSA-67hx-6x53-jw92

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

CVSS:

9.3

GHSA-93q8-gq69-wqmw

Inefficient Regular Expression Complexity in chalk/ansi-regex

CVSS:

7.5

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

EXTERNAL COMMUNICATIONS ARE AVAILABLE FOR ENTERPRISE USERS

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

eslint

Version:

8.57.0

vscode-languageclient

Version:

9.0.1

websocket-text-relay

Version:

1.1.0

All dependencies are available for Enterprise users

Licenses & Compliance

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

LICENSES & COMPLIANCE ARE AVAILABLE FOR ENTERPRISE USERS