Vscode-powershell: Extension should support running in constrained language mode
Right now we show an error message on startup of constrained language mode is turned on via AppLocker policy. We should do the necessary work to make the extension operate at some level with this mode turned on. The PowerShell ISE supports it.
daviwil
All 14 comments
Hello, is there an established roadmap, plan for this?
caparkaya
on 18 Jul 2018
Closing this in favor of #754
TylerLeonhardt
on 4 Oct 2018
I'm doing work now to move PSES over to a binary module to make this easier, but it looks like there are still issues because of how PSReadLine works. I'm not sure if those are the only issues, but that's the current blocker; we invoke a PSReadLine static method in PowerShell script directly for the prompt. So to enable constrained language mode, that's the next issue to solve.
rjmholt
on 27 Nov 2019
Another facet here is that we have dependencies that aren't signed:
> ls .\module\PowerShellEditorServices\bin\Common\ | Get-AuthenticodeSignature | ? Status -eq 'NotSigned' | ft Status,Path
Status Path
------ ----
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\MediatR.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\MediatR.Extensions.Microsoft.DependencyInjectio…
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Microsoft.PowerShell.EditorServices.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Newtonsoft.Json.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\OmniSharp.Extensions.DebugAdapter.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\OmniSharp.Extensions.DebugAdapter.Server.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\OmniSharp.Extensions.JsonRpc.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\OmniSharp.Extensions.LanguageProtocol.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\OmniSharp.Extensions.LanguageServer.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Serilog.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Serilog.Extensions.Logging.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Serilog.Sinks.Async.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Serilog.Sinks.Console.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\Serilog.Sinks.File.dll
NotSigned C:\Users\roholt\Documents\Dev\PowerShellEditorServices\module\PowerShellEditorServices\bin\Common\UnixConsoleEcho.dll
@rjmholt I believe there's a way for us to sign things as "external deps" but need to do the research.
TylerLeonhardt
on 12 Dec 2019
Has there been any additional update on this? I am fairly interested in a desirable outcome from this.
romero126
on 21 Jan 2020
We talked offline but to capture it here as well...
First comment out this line so you can actually test this:
https://github.com/PowerShell/PowerShellEditorServices/blob/d8fc936bea002b897046e6e4952ae2c837216aa8/src/PowerShellEditorServices.Hosting/EditorServicesLoader.cs#L190
Then see where it breaks with ConstrainedLanguage mode turned on...
Here is a good list to start:​​​​
These are hits for ]:: in PowerShellEditorServices. Any method invocations will have to either be done a different way, or wrapped in a binary cmdlet.
TylerLeonhardt
on 22 Jan 2020
Has anyone started working on this? I'd also love for this to work and can contribute if there is an existing branch.
dkattan
on 16 Apr 2020
Hi @dkattan I don't think anyone is actively working on this. Are you interested in getting involved?
My steps in the comment above yours are still accurate. The way I'd approach this is:
- uncomment the code I mention above
- try to start up with constrainedlanguage mode
- see what goes sideways and try to fix them
You're more than willing to drop any questions you have here.
Once start up works, we can get a PR out to support this... then we can start filling in what doesn't work (like the expand alias feature, remoting feature etc)
TylerLeonhardt
on 17 Apr 2020
ConstrainedLanguage mode is now supported in the PowerShell Preview extension.
TylerLeonhardt
on 29 Apr 2020
Exciting! This should allow us to use it on admin workstations where constrained language mode is enforced.
craig-martin
on 3 May 2020
Well add me to this too! The security gestapos have everything locked up here and I am getting this too
nyannios
on 18 Jul 2020
@nyannios what version of PowerShell are you using? The PowerShell extension only supports v5.1 and higher.
TylerLeonhardt
on 19 Jul 2020
Hey, I downloaded and installed PowerShell 7 for windows and now it's working! Thanks! I was on 4.0
nyannios
on 19 Jul 2020
Related issues
MiYanni
·
3Comments
lukegriffith
·
3Comments
itfranck
·
3Comments
AWahlqvist
·
3Comments
GQnzo
·
3Comments
Most helpful comment
@rjmholt I believe there's a way for us to sign things as "external deps" but need to do the research.