MindByte Issue #77: vulnerabilities in VS Code extensions?

Vulnerabilities in VS Code extensions, feedback from the Global DevOps Experience, C# 13 features, push code improvements at GitHub

Hi there! Thanks for joining me this week.

To ensure you keep getting these updates seamlessly, please move this email to your primary inbox or mark it as important. A quick reply like "got it" also helps boost visibility. This edition covers exciting topics such as:

  • Security risks with Visual Studio Code extensions

  • Bug Bounties in GitHub and why it is still needed

  • New C# version 13 features

  • Global DevOps Experience

  • Is GraphQL still a thing?

New here? Subscribe here to stay updated. Let's dive into the details!

GitHub Digest

As I stated in my last edition, I’m co-organizing an event called the Global DevOps Experience. This took place on Saturday, the 15th, and we had people all around the globe participating in DevOps challenges using GitHub and Azure.

My colleague Rene wrote a nice blog post about the whole event, how it came into play, what we needed to do, and how it went. Read about the GitHub workflows for venue organizers and the circuit breakers we hit when rolling out hundreds of Azure resources.

Do you know what is happening when you do a push to GitHub?

It is not only that your code is added to the remote repository, but there are actually around 20 different services being kicked off. To perform code analysis, starting workflows, executing webhooks etc.

You can imagine that this requires some interesting logic and GitHub is sharing how they improved this flow with Kafka topics.

Find a security issue within GitHub? Then do report it using their Bug Bounty Program! This program is already 10 years old and the blog post gives some insights about the different key moments.

Yes, it happened again, an exposed GitHub token was used to steal the New York Times source code.

Around 270 GB of data was extracted and is now up for sale.

So make sure to secure your accounts!

Even when you run the official GitHub Copilot Chat extension, it is vulnerable to extracting data by including specific crafted instructions in code files.

As the Copilot Chat functionality sends content to the LLM model, you can add instructions from the source code it analyzes, and use it to extract data and send it somewhere else.

Read the post or watch the video if you want to learn more about this hack, which has been fixed by Microsoft.

Coding Corner

I’m a fan of RESTful HTTP APIs, which are already tricky to make. When GraphQL was released some years ago by Facebook, I did not really know what to make of it.

Some positioned it as a successor to REST, but I never saw a real benefit and I think the below article highlights some interesting points as to why it fails to deliver.

The tricky part of database design; how to pick your unique keys. Using a natural key, like a social security number, sounds logical, but Mark Sheeman argues that you will regret this.

I already addressed a vulnerability with an official Visual Studio Code extension, but this article describes another attack vector; creating a fake extension.

By setting up an extension that looks like another popular one, faking some reviews, and setting up a similar website, it got users to install the extension. Having access to the editor allowed the plugin to start sending data that should have remained private on the machine.

.NET Nook

It is hard to keep up with all the changes in dotnet and C#, but luckily Peter Ritchie highlights some interesting changes for C# 13.

Like Extension Types and Properties or the use of the index operator while initializing collections.

Read more for some examples and explanations.

Integrating OpenAI into your dotnet applications has been possible for some while now as there are a couple of different libraries available. However, Microsoft took it upon itself to adopt one of them and with the original author, offers it now as the official OpenAI library for .NET.

The library is generated from the official OpenAI API specification, so should be up to date. It also offers access to the different available features like image generation.

Damien shares how you can create a PDF inside a controller and return it as a response back to the caller. The library used is certainly not the only one, but it highlights how easy it is to turn data into a PDF.

Styling the PDF, that will be another challenge :-)

I played with the Stateless workflow system years ago, and liked the simplicity of it. It was created by Nicholas Blumhardt, who also authored Serilog.

Khalid shows some interesting examples of how to use it by doing some space traveling.

Events and time, a tricky combination. But in most systems you do have some concept of time; a process that needs to start every day, a check that happens every minute etc.

Oskar shows how to build a system like this using the passage of time and the to do list patterns.

Aspire was announced recently at Microsoft Build, while Dapr has been around for a while. It can be confusing why you want to use them and how they compare to each other.

As Marc Duiker says: .NET Aspire is a set of tools for local development, while Dapr is a runtime offering building block APIs and is used during local development and running in production.

He shows how to install and configure the different solutions, and compares the features. And of course where they fit together.

Closing Thoughts

Thank you for reading this week’s edition.

Your feedback is invaluable, so if you have any thoughts, questions, or suggestions, please don't hesitate to reach out. If you enjoyed this update and want to continue receiving more, make sure to subscribe here.

I appreciate your time and look forward to hearing from you!

Reply

or to participate.