Appearance
Visual Studio Code
Validate VS Code's network egress (including extensions), integrated terminal behaviors, file associations, and data-motion surfaces under the Secure Sandbox.
Objectives
- Enforce deny-by-default egress, proxy enforcement, and pinned roots for marketplace/extensions.
- Verify integrated terminal commands (curl/wget/git/PowerShell) cannot bypass egress controls.
- Confirm file associations, clipboard/drag-drop behave as intended.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- VS Code installed.
- Networking deny-by-default with proxy enforcement and pinned roots.
- DataMotion posture configured for clipboard/dragDrop/screen capture.
Controls Under Test
runtime.networking.egressDefaultAction, proxy enforcement and pinned roots.runtime.dataMotion.rules[]withchannel: "clipboard"|"dragDrop"|"screenCapture".- File associations for file types VS Code handles.
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-APP-VSCODE-01 | NET-ENCRYPT-01 | Marketplace via proxy | Install a popular extension from Marketplace. | Requests traverse enforced proxy; pinning enforced; denied if not allowed. |
| SCEN-APP-VSCODE-02 | NET-EGRESS-01 | Direct IP from terminal | curl http://<IP> | Denied per egress default deny. |
| SCEN-APP-VSCODE-03 | NET-PROTO-02 | IPv6 parity | curl -6 https://example.com | Blocked same as IPv4 if not allowlisted. |
| SCEN-APP-VSCODE-04 | DM-CLIP-01 | Clipboard outbound | Copy from editor; paste on host. | Denied/processed per policy. |
| SCEN-APP-VSCODE-05 | DM-DRAG-01 | Drag-drop outbound | Drag a file from VS Code to host. | Blocked per policy. |
| SCEN-APP-VSCODE-06 | HARD-FILES-01 | Files tab boundaries | Open, edit, save within Storage Context; check host. | Writes remain overlay-only unless mapped. |
| SCEN-APP-VSCODE-07 | HARD-PROCESS-04 | Malicious extension process | Install 'Hello World' extension; modify to spawn node.exe accessing env/net. | Child process inherits sandbox; access denied. |
| SCEN-APP-VSCODE-08 | DM-CLIP-04 | CertUtil decode bypass | Paste large base64 blob (> limit) to terminal; run certutil -decode. | Pass: Paste blocked by DataMotion size limit; payload never reaches terminal. Audit shows channel: "clipboard", action: "deny". |
| SCEN-APP-VSCODE-09 | NET-EGRESS-01 | Third-party gallery | Configure serviceUrl to non-official gallery (e.g., OpenVSX) in settings. | Connection denied by default egress unless allowlisted; audit shows action: deny; proxy/pinning enforced. |
| SCEN-APP-VSCODE-10 | DM-CLIP-04 | Large clipboard within sandbox editor | With clipboard direction: both and a size cap configured, copy ≥10KB text in VS Code and paste into a new editor tab. | Paste is truncated/denied per size cap; audit dataMotion channel: "clipboard", `action: "deny" |
Evidence Requirements
networkanddataMotionevents as applicable; includerule.id,priority, and protocol fields.
Troubleshooting
- Some extensions may batch requests; monitor audit over a longer window.
- Integrated terminal may respect system proxy variables; ensure policy enforces proxy at the sandbox boundary.
Known Limitations & Negative Space
- Extensions can vary widely; validate a representative set for your org.
