While this question has been sitting in the back of my mind for a while, it has taken on new life given the GlassWorm C2 nested attack method described by Koi Security a few days ago.
What are the ways OnDemand administrators can restrict the VSCode extensions users can install and/or run?
I realize I ought to also hop over to the VSCode community (coder?)and ask something similar, but this was first port of call as my institution is setting up an Open OnDemand portal for our HPC system. Also I trust y’all have a better understanding of research computing than the Microsoft infrastructure folks.
A quick glance at the configurations doesn’t seem to show any to turn them off entirely. Though … you may be able to try some hack where the extension directory is /dev/null so they can’t have any extensions. Though that seems heavy handed.
Maybe the least heavy handed option would be to have a list of “green flagged” extensions that are allowed on the system. One can petition to have new ones added, but that is at the discretion of the sysadmin (& security) teams.
Surely VSCode must have means to say “you can have these extensions but not all others”. And I am trying to be sympathetic to the Microsoft team responsible for that codebase, as I have heard nothing but negative things from admins who are forced to manage it.