Cloud-based development environments (CDEs) may have security risks, according to researchers from Snyk. They recently found a vulnerability in Gitpod that could enable an attacker to execute remote code and take over accounts fully.
CDEs can promise better security than local ones and are easier to deploy, but they pose unique risks that need proper assessment. CDEs can be affected by malware, insufficient access controls, or even rogue developers who exfiltrate intellectual property from a cloud-hosted machine.
Traditional integrated development environments (IDEs) have security problems, too. However, CDEs are an improvement in many ways as they can eliminate configuration drift, dependency collisions and limit attack windows.
CDE providers can deploy fixes faster than an organization can deploy security patches to its workstations and laptops running a traditional IDE. Organizations should choose their provider carefully, especially since code, access tokens, production secrets, and other intellectual property are entrusted to them.
The Gitpod flaw Snyk discovered falls into the category of cross-site WebSocket hijacking. A defense mechanism called Same Origin Policy prevents code from another site reading information from a site that a user is logged into.
The defense mechanism only exists for HTTP and not WebSocket, which could allow a malicious site to send malicious commands through the connection and receive responses by piggybacking on the user’s cookie.
The Gitpod architecture consists of multiple microservices deployed in a Kubernetes environment with user workspaces deployed as ephemeral pods. Gitpod workspaces consist of a server component written in TypeScript and a dashboard web application built with React that communicates over WebSocket with a JSONRPC API exposed by the server.
