VS Code is becoming more and more awesome all along with its crazy extensions, but with all that flexibility and awesomeness comes security and privacy risks.
Thus my question if at all it is possible to block a specific extension from accessing internet.
The answer appears to be no, you can't block extension network access:
VSCode Issue #52116: Extension Permissions, Security Sandboxing & Update Management Proposal remains open. There is recent commenter activity but I see no indication of action by the VSCode team.
The question How to fully disable network request from vs code(telemetry, updates, etc.) reports that setting the obvious switches does not stop VSCode from making network requests.
I made my own simple extension that used the http module to make an external network request and it worked.
I tried setting http.proxy to a bogus value in settings.json, and while that was effective at getting VSCode itself to fail at least one network operation, my test extension was unaffected.
Relatedly, one might ask if there is any system in place to detect or prevent malicious extension behavior. Again the answer seems to be no:
The question Security and Privacy of VSCode extensions and its answer basically seem to boil down to "run your own firewall".
The question How is VS Code Extension Security Handled? and its answer boil down to "Microsoft does nothing to ensure extensions are not malicious".
I have personally uploaded one extension to the Marketplace. I can report that it took about five minutes to appear there; not nearly long enough for anyone to have reviewed it. Furthermore, I inadvertently uploaded it before creating the github repo, but that didn't cause any problems, suggesting that the service does not do any checks to ensure what is on github matches what is in the extension.
Overall, I find this a scary situation. I do a few things to try to protect myself:
I try to stick to extensions that have a lot of downloads, and which have not been updated recently. I then have automatic update disabled. This way, everything I'm running has had some chance to be exposed as malicious before I use it.
The extensions are distributed as VSIX files, which are just ZIP files with a different file name suffix. If I am at all suspicious, I download it as a file first and poke around. Especially check the package.json scripts and the Typescript or Javascript source code (if there is any). That is of course far from foolproof but it's something.
It may also be worthwhile to check it with Virus Total.
2024-06-09: A new service called ExtensionTotal (with which I have no affiliation) purports to check extensions for signs of malicious intent. They claim in a 2024-06-02 blog post to have found ~1000 published extensions with known malicious code, and ~150 that were flagged by VirusTotal. I've only briefly tried it, so who knows, but at least someone seems to be taking the problem seriously even if MS isn't.