Description
opencode-autoplugin-rce
OpenCode automatically loads and runs plugins from the .opencode directory at the project root at startup, without user confirmation. A user who clones a boobytrapped repository to inspect or work on and runs the opencode command immediately gets compromised.
Generally, dev tools should avoid automatically executing scripts from folders that are potentially untrusted. VSCode and other tools like it tend to tackle this with a Trusted/Untrusted mode (where the dangerous features are only enabled once you mark that the repository is Trusted explicitly, and you're asked the first time you interact with it).
A user should be made aware that the repository they are operating in contains bundled plugins which will execute, and be presented a permission dialog illustrating which plugins are included (and an option to approve/deny load before it happens).
Plugins
N/A
OpenCode version
1.1.4
Steps to reproduce
git clone https://github.com/xpcmdshell/opencode-autoplugin-rce
cd opencode-autoplugin-rce
opencode
(see linked repo)
Screenshot and/or share link
No response
Operating System
No response
Terminal
No response
Description
opencode-autoplugin-rce
OpenCode automatically loads and runs plugins from the
.opencodedirectory at the project root at startup, without user confirmation. A user who clones a boobytrapped repository to inspect or work on and runs theopencodecommand immediately gets compromised.Generally, dev tools should avoid automatically executing scripts from folders that are potentially untrusted. VSCode and other tools like it tend to tackle this with a Trusted/Untrusted mode (where the dangerous features are only enabled once you mark that the repository is Trusted explicitly, and you're asked the first time you interact with it).
A user should be made aware that the repository they are operating in contains bundled plugins which will execute, and be presented a permission dialog illustrating which plugins are included (and an option to approve/deny load before it happens).
Plugins
N/A
OpenCode version
1.1.4
Steps to reproduce
git clone https://github.com/xpcmdshell/opencode-autoplugin-rce
cd opencode-autoplugin-rce
opencode
(see linked repo)
Screenshot and/or share link
No response
Operating System
No response
Terminal
No response