IntelliJ IDEA 2020.3.3 Is Available
The new bug-fix update for IntelliJ IDEA 2020.3.3 is out! You can update to the new version from inside the IDE, with the Toolbox App, or using snaps if you are an Ubuntu user. It is also available for download from our website.
In this release, we’ve added an important new feature:
IntelliJ IDEA 2020.3.3 introduces the concept of trusted projects, designed to mitigate the risks associated with opening projects from unknown and untrusted sources.
Many modern build systems, including Maven and Gradle, rely on code execution for building the project model that the IDE needs in order to understand the project structure and its dependencies. In Gradle, the build script itself is code written in either Groovy or Kotlin. In Gradle and Maven, the build script can reference plugins – the build system will download the plugins from locations specified in the build scripts and execute code in those plugins.
In addition to the issues inherent to the Maven and Gradle design, some of IntelliJ IDEA’s features (for example, startup tasks) introduce additional code execution possibilities enabled by sharing a project together with its .idea directory.
Thus, the simple act of opening a project in the IDE could lead to code execution from the project build scripts. If a malicious actor creates the project, this can be a significant security risk. Unfortunately, the risk is not merely hypothetical – there have been recent attempts to attack security researchers by sending them Visual Studio projects containing malicious code.
We’ve introduced trusted projects to mitigate these risks. When you open a project, IntelliJ IDEA doesn’t execute any code from it and checks whether it is trusted or from a trusted location. If the project currently is not trusted, the IDE will ask you to choose whether to open it in safe mode or full-trust mode. If you open a project in safe mode, the IDE will disable all potential code execution upon opening. Since this makes it impossible to build an accurate project model, many IDE features, such as error highlighting, will be disabled. However, you can still browse the project’s contents and open its source files in the editor.
To avoid showing warnings for every project, the IDE allows you to define trusted locations in Preferences/Settings | Build, Execution, Deployment | Trusted Locations. Projects in directories specified as “Trusted Locations” are always considered trusted. To ensure that you get the untrusted project warnings only when something out of the ordinary is happening, we recommend adding the directory where you usually create projects to your trusted locations.
If you want to disable the untrusted project warnings, you can add your PC’s root directory to the trusted locations. However, we do not recommend doing this, as it could potentially leave you open to an attack.
Note that building or running a Maven or Gradle project from the command line carries the same security risks as importing it into an IDE. So if you choose to open the project in the safe mode, you also need to avoid running Maven or Gradle commands in the terminal.
For more information, please refer to the documentation page on project security.
IntelliJ IDEA 2020.3.3 also brings significant fixes:
- Fixed the crashes happening on IntelliJ IDEA startup. [JBR-3066]
- Fixed the issue causing unnecessary backslashes to be added in Markdown files containing code blocks. [IDEA-258796]
- Fixed the IntelliJ IDEA crashes occurring when the CUBA plugin tried to set a zoom level for the CEF browser. [JBR-2947]
- Keychain is now available on Apple Silicon. [IDEA-258912]
- Fixed the run configuration errors when using Cucumber tests with Java. [IDEA-256627]
- Fixed issues with the Close All But Pinned and Close All actions. [IDEA-256044]
- Fixed logs’ spamming when disconnecting from Docker. [IDEA-259400]
- Fixed the wrong behavior of the Diff view. [IDEA-257651]
- Fixed a focus issue in the branch list. [IDEA-254354]
That’s all for today! Check out the full list of addressed issues in the release notes. If you have any suggestions for improving IntelliJ IDEA, do not hesitate to post them to our issue tracker or comment on this post.