You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This threat model covers the Git ID Switcher VS Code extension. The extension manages Git identities (name, email, SSH keys, GPG keys) and interacts with external binaries (git, ssh-add, ssh-keygen) via child processes.
execFile() bypasses shell interpretation; strict command allowlist; argument count (max 20) and length (max 256) limits; flag injection prevention; flag validator rejects unsafe characters
Residual Risk
Very low — execFile() + allowlist eliminates shell injection
T3: VSIX Binary Tampering
Aspect
Detail
Threat
Supply chain attack replaces legitimate VSIX with malicious version
Attack Vector
Compromised marketplace, CDN, or download source
Existing Mitigations
SLSA Level 3 build provenance; Cosign keyless VSIX signing (failure blocks release); Harden Runner egress-policy block on publish job with explicit allowed-endpoints; Trivy pre-publish scan; CycloneDX SBOM with attestation; npm audit high severity gate in CI
Residual Risk
Very low — cryptographic verification available via cosign verify-blob and gh attestation verify; egress blocking limits exfiltration during build
Repudiation (R)
R1: Identity Switch Denial
Aspect
Detail
Threat
User denies having switched Git identity
Attack Vector
No audit trail of identity operations
Existing Mitigations
Security audit logger records IDENTITY_SWITCH, SSH_KEY_LOAD, SSH_KEY_REMOVE, CONFIG_CHANGE events with timestamps; dual logging to Output Channel + file; sensitive data redaction
Residual Risk
Low — file logging is opt-in; Output Channel logs are ephemeral
Information Disclosure (I)
I1: SSH Key Path Leakage
Aspect
Detail
Threat
SSH key filesystem paths exposed in logs or error messages
Attack Vector
Verbose error messages, debug logs
Existing Mitigations
sensitiveDataDetector.ts redacts paths in logs; MAX_LOG_STRING_LENGTH truncation; redactAllSensitive mode for maximum privacy; path sanitization in security logger
Residual Risk
Low — paths visible in VS Code settings by design (user's own data)
I2: GPG Key ID Exposure
Aspect
Detail
Threat
GPG key IDs leaked through logs or UI
Attack Vector
Status bar display, notification messages
Existing Mitigations
GPG key IDs are intentionally displayed (they are public identifiers); sensitive data detector masks longer secret-like strings
Residual Risk
Accepted — GPG key IDs are public by design
Denial of Service (D)
D1: Resource Exhaustion via Identities
Aspect
Detail
Threat
Attacker creates thousands of identities to exhaust memory
Attack Vector
Malicious workspace configuration
Existing Mitigations
MAX_IDENTITIES limit (hardcoded, not configurable); field length limits on all string fields; icon byte length limit
Residual Risk
Very low — hardcoded limits prevent abuse
D2: Command Execution Hang
Aspect
Detail
Threat
External binary hangs, blocking extension
Attack Vector
Unresponsive git server, ssh-agent deadlock
Existing Mitigations
Command-specific timeouts (git: 10s, ssh-add: 5s, ssh-keygen: 5s); custom TimeoutError class; user-configurable timeouts with range validation (1-300s); ssh-add -D (bulk key deletion) removed from allowlist — only individual key removal (-d) permitted
Residual Risk
Very low — all external calls have timeouts
D3: Log File Growth
Aspect
Detail
Threat
Log files consume excessive disk space or symlink-based log tampering
Attack Vector
High-frequency operations triggering repeated logging; symlink replacement of log file between check and open
Existing Mitigations
Configurable maxFileSize and maxFiles with rotation (range-validated: 100KB-100MB, 1-100 files); file logging is opt-in; per-event-type rate limiter (10 events/10s window) prevents log flooding; O_NOFOLLOW flag on file open + fstat() symlink check (TOCTOU mitigation)