fix: Use Start-Process for online help to avoid security warning#5447
Conversation
There was a problem hiding this comment.
Pull request overview
This PR changes how “Show Help” (Ctrl+F1) opens online help so it no longer triggers the Invoke-WebRequest security warning in recent Windows PowerShell versions, by switching to a Start-Process-based approach.
Changes:
- Replaces the prior LSP notification-based “Show Help” flow with a PowerShell command executed in the integrated console.
- Builds a PowerShell command that resolves the online help URI via
Get-Helpand opens it viaStart-Process.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| import { PowerShellIntegratedConsole } from "../powerShellIntegratedConsole"; | ||
|
|
There was a problem hiding this comment.
The new import "../powerShellIntegratedConsole" (and PowerShellIntegratedConsole.instance.executeCommand(...)) does not resolve anywhere in src/—there is no powerShellIntegratedConsole.ts and no exported PowerShellIntegratedConsole class. This will fail TypeScript compilation. Either add/commit the missing module, or rework this to use the existing session/terminal plumbing (e.g., via the session manager / PowerShellProcess terminal) that already exists in this repo.
| const selection = editor.selection; | ||
| const doc = editor.document; | ||
| const cwr = doc.getWordRangeAtPosition(selection.active); | ||
| const text = doc.getText(cwr); | ||
| text = doc.getText(cwr); | ||
| } |
There was a problem hiding this comment.
doc.getWordRangeAtPosition(...) can return undefined (e.g., when the cursor is on whitespace). Passing undefined to doc.getText() returns the entire document, which would make escapedText huge and produce an invalid/slow PowerShell command. Consider explicitly handling cwr === undefined (return early or fall back to the selection text) before calling getText.
| // We need to escape single quotes for the PowerShell command. | ||
| const escapedText = text.replace(/'/g, "''"); | ||
| const psCommand = |
There was a problem hiding this comment.
This file already has a shared helper for escaping single quotes in PowerShell strings (utils.escapeSingleQuotes(...)). Using that helper here would avoid duplicating escaping logic and keep quoting consistent across the extension.
|
I think I'd rather see us use VS Code to render the content at the URL from Get-Help. What does the equivalent functionality in e.g. the Python extension look like? If at all possible we should just avoid running |
Summary
Fixes an issue where using 'Show Help' (Ctrl+F1) would trigger an
Invoke-WebRequestsecurity warning in the PowerShell Integrated Console. The implementation has been changed from an LSP notification to executing a command directly in the console. The new command gets the online help URL and opens it usingStart-Process, which avoids the underlyingInvoke-WebRequestcall that caused the warning.Changes
ShowHelpFeatureis updated to execute a PowerShell command directly in the integrated console instead of sending an LSP notification. The new command retrieves the online help URL fromGet-Helpand opens it withStart-Process, bypassing theInvoke-WebRequestcall that triggered a security warning in recent PowerShell versions.Related Issue
Closes #5427