How IntelliJ IDEA’s Trusted Projects Feature Protects You from Malicious Code

Spring brings many updates, and IntelliJ IDEA has joined the wave with version 2020.3.3.

The update can be installed via the Toolbox app, snapshots (for Ubuntu users), or downloaded from the official website.

Trusted projects

The main addition is the Trusted Projects feature, aimed at reducing risks when opening projects from unknown or untrusted sources.

Some IntelliJ IDEA features, such as startup tasks, can execute additional code, and sharing a project with other IDEA directories may trigger this execution.

Opening a project can therefore run code from build scripts, posing a significant security threat if the project is malicious. Recent attacks have used VisualStudio projects containing malicious code to target security researchers.

With the new Trusted Projects feature, IDEA checks whether a project is trusted before executing any code. If the project is untrusted, the IDE prompts the user to open it in safe mode or fully trusted mode. Safe mode disables all potential code execution, which also disables many IDE features like error highlighting, though the source files remain viewable.

This protection also applies to other build systems (e.g., sbt) and project types such as Python and JavaScript.

To avoid repeated warnings, users can designate a directory for trusted projects; any project located there is automatically trusted. It is recommended to add the directories you normally use to create projects to this trusted location.

Disabling untrusted project warnings by adding the computer’s root directory is possible but not advised, as it greatly increases attack exposure.

Note that building or running Maven or Gradle projects from the command line carries the same security risks as importing them into the IDE, so avoid executing such commands when a project is opened in safe mode.

Bug-fixes

Fixed a crash on IntelliJ IDEA startup (JBR-3066).

Fixed unnecessary backslashes in markup files containing code blocks (IDEA-258796).

Fixed a crash when the CUBA plugin attempted to set the zoom level for the CEF browser (JBR-2947).

Keychain now works on Apple Silicon (IDEA-258912).

Fixed a run configuration error when using Cucumber tests in Java (IDEA-256627).

Fixed issues with “Close all objects except fixed” and “Close all objects” actions (IDEA-256044).

Fixed spammy logs when disconnecting from Docker (IDEA-259400).

Fixed erroneous behavior in the Diff view (IDEA-257651).

Fixed focus issues in the branch list (IDEA-254354).

For full details, see the official blog post: https://blog.jetbrains.com/idea/2021/03/intellij-idea-2020-3-3/