Can technically run another program with args

[andreamah]

Testing #64

1. create another file alongside test.py called evil.py. In evil.py, put print('malicious code')
2. while test.py is the active file, run the debugpy and enter the args one & python ./evil.py
3. See that ./evil.py gets run.

If someone malicious wanted to run their own python script, they could inject a call into the args. Perhaps we should be sanitizing the input in some way in case it can be interfered with?

[brettcannon]

The security model for extensions is either you allow them in a trusted environment or you don't. Since this extension requires a trusted environment, you are already choosing to trust the code being debugged. Whether you bothered to sanitize your code is up to you and not us.

We also can't in any way sanitize the input as we have no idea what you plan to do with the file passed in. Are you parsing it? Are you just counting the number of letters? How do we to know what you plan to do with any file which you could read from and then choose to execute or do something with that could be considered malicious?

All of this is to say, "don't run code you don't trust". 😉