VSCode Extensions enable arbitrary remote code execution via exec(). Not sure if this is a bug/vulnerability or a feature.

[alfa-meta]

Does this issue occur when all extensions are disabled?: No

• VS Code Version: 1.96.4
• OS Version: Windows 11

All VSCode extensions enable arbitrary remote code execution.
It can be used with any powerShell or bash command of your choice.
As long as the user of VSCode has permissions they are able to run any code as far as I am concerned. I have only tested with opening Microsoft Apps and running Linux commands.

Steps to Reproduce:

0. Build a basic extension
1. import { exec } from "child_process";
2. The only thing that matters is exec() you dont need to return data to the front end like I did with this function.
   function windowsCheckActiveApplication(){
   // Run the ListActiveApps logic every second
   const powershellCommand = "Get-Process | Where-Object { $_.MainWindowHandle -ne 0 } | Select-Object Name";

exec(powershell.exe -Command "${powershellCommand}", (error, stdout, stderr) => {
if (error) {
console.error(Error fetching active apps: ${error.message});
return;
}

if (stderr) {
  console.error(`Stderr while fetching active apps: ${stderr}`);
  return;
}

// Parse active applications
activeApplications = stdout
  .split("\n")
  .map((line) => line.trim())
  .filter((line) => line && line !== "Name" && !line.startsWith("----")); // Remove empty lines, headers, and separators

});
}