Is JupyterHub safe?

Findings

Requires Additional Extensions

Flags items that require one or more other extensions to be installed in order to function. While extension dependencies are a standard software practice, they result in additional extensions being present in the environment.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This extension provides support for connecting to JupyterHub in VS Code, working alongside the Jupyter extension. Its main purpose is to facilitate communication with JupyterHub servers, manage kernels, sessions, and file contents, and handle related API interactions.

Key Activities and API Usage:

Network Communication:
- Uses HTTP(S) requests to JupyterHub/Jupyter server REST APIs for managing kernels, sessions, contents, and configuration.
- Uses WebSocket connections for real-time communication with kernels (for code execution, output, etc.).
- Example:
```
this._ws = new settings.WebSocket(url, supportedProtocols);
this._ws.binaryType = "arraybuffer";
```
Filesystem Activity:
- Interacts with Jupyter server's contents API to read, write, rename, and delete files, but does not directly access the local filesystem from the extension code. All file operations are mediated via the Jupyter server REST API.
Process Execution:
- No direct process execution on the user's machine is performed by the extension code. All kernel and session management is done via server APIs.
Data Handling:
- Handles notebook and file content as JSON objects, and transmits/receives them via the server APIs.
Extension Configuration:
- Reads configuration from the Jupyter server or from VS Code settings, but does not attempt to modify VS Code or system-level settings outside its scope.
Obfuscation:
- The code is minified and bundled, but not obfuscated. Variable names and logic are readable and follow standard patterns for VS Code/JupyterLab extensions.

Security and Malicious Indicators:

No evidence of code execution on the user's machine outside of the Jupyter server context.
No evidence of arbitrary network requests to unknown domains (all network activity is directed at the configured Jupyter server/JupyterHub endpoints).
No evidence of data exfiltration, credential theft, or backdoors.
No use of eval, Function constructor, or dynamic code execution.
No suspicious string encoding, encryption, or obfuscation techniques.

Summary:

The extension is a standard implementation for JupyterHub connectivity, using well-known APIs and patterns. It does not exhibit behaviors associated with malicious extensions.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

critical

child_process.exec

nodejs

/extension/dist/extension.node.js

critical

process.execArgv

nodejs

/extension/dist/extension.node.js

critical

child_process.spawnSync

nodejs

/extension/dist/extension.node.js

All API calls are available for Enterprise users

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

URI

/extension/dist/extension.node.js

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS

External communication

Any identifiers we detected that may indicate external communication from the item's code

http://169.254.169.254/metadata/instance/compute

extension/dist/extension.node.js

https://aka.ms/vscodeJuptyerExtKernelPickerExistingServer

extension/dist/extension.node.js

https://aka.ms/vscodeJupyterHub

extension/dist/extension.node.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

@jupyterlab/services

Version:

Unknown

@types/chai-as-promised

Version:

Unknown

process

Version:

Unknown

All dependencies are available for Enterprise users

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

Microsoft

Microsoft provides resources indicating their preparation for CCPA compliance related to their products and services. However, there is no specific declaration on the parent company's CCPA compliance because Microsoft does not explicitly have a parent company identified in this context.

Compliant

Microsoft

Microsoft complies with HIPAA and enables its customers to adhere to HIPAA regulations, including the HITECH Act and the Security Rule requirements.

Compliant

Microsoft Corporation

Microsoft Corporation, including its services such as Azure, OneDrive for Business, and SharePoint Online, is certified as compliant with PCI DSS version 3.2 at Service Provider Level 1. This indicates that Microsoft is capable of handling vast amounts of payment card data securely. The compliance standards apply directly to these services, confirming their adherence to PCI DSS guidelines.

Compliant

Licenses

X.Net License

View License

" MIT License\n\n Copyright (c) Microsoft Corporation.\n\n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation file...