Allow to disable `security.allowedUNCHosts`

[weed-]

The new "security.allowedUNCHosts" in 1.78.1 setting breaks our workflow. We edit a lot of files on a lot of UNC hosts (around ~3k hosts per user, many users). How can the feature be disabled or all/regex hosts be allowed?

Alternatively, we could try to add all our UNC hosts. The list ist around 5mb (now) and changes on a hourly basis - editing this manually is nonsense, but neither security.allowedUNCHosts nor NODE_UNC_HOST_ALLOWLIST allows for centralized (and realtime) management.

Using a match pattern like \10.2.. or \(.).*.example.com would be our preferred method.

[bpasero]

We currently do not support glob patterns for UNC paths, specifically because of the security attack: every UNC host name must be added individually and explicitly. Every UNC path that is allowed exposes a risk of disclosing information as outlined by GHSA-mmfh-4pv3-39hr

[asherjvitek]

The current state of this is completely unmaintainable. Having to enter every single server to browse to is not realistic. I use VS Code multiple times a day to open to files on servers.

There should be a way to either provide a wildcard or disable this allowing people to accept the risk.

[FVolral]

For those unable to view the content of their folder in \\wsl$ . In JSON settings, I added :

"security.allowedUNCHosts": ["wsl$"],

This can be found in the following link: https://code.visualstudio.com/docs/setup/windows#_working-with-unc-paths.

After rebooting VSCode, the changes will take effect and the folder's content will be viewable again.

[Andy78DE]

I second @weed- 's comment. I have the same problem here.
Also, I tried to list the most used servers and IP addresses, but I still get the warning when opening a file. Is there a special format for the entries? Couldn't find any examples.
My settings file looks like this:
"security.allowedUNCHosts": [ "ABC", "10.1.2.3", "DEF" ]

EDIT:
Got it: I put server names like "ABC" (upper-case) into settings, but it seems it has to be like "abc" (lower-case) 🤦🏼‍♂️
Still just a temporary workaround...

[weed-]

@bpasero is right and we do understand the risk of this Information Disclosure Vulnerability. UNC retrieval and meta data access (... NTLM delegation ...) is a hot mess in Windows anyway.

We need a way to be able to "willingly accept this risk". In a closed environment like ours (telko stuff) the risk is more a theoretical one anyway. So a "disable" setting or "enable glob patterns", if global matching is "not enough", would be extremely helpful.

[jdonaldson-Lamar]

I am going to stop using VS Code if this issue is not resolved.

[marguz-wag]

Hello,

I did have a question here as to why the environment variable did not work "NODE_UNC_HOST_ALLOWLIST", but after making sure all running "Code.exe" process were killed, it worked.

So I guess, also make sure there are no running "Code.exe" process while one is making these changes to test.

So far.. all good now.