this post was submitted on 06 Sep 2023
149 points (94.6% liked)

Programmer Humor

32031 readers
1624 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
cat_programmer@lemmy.ml
149
Proc macro sandboxing (lemmy.ml)
submitted 1 year ago by Victim_0@lemmy.ml to c/programmerhumor@lemmy.ml
24 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] paholg@lemm.ee 10 points 1 year ago (1 children)

I personally don't think they do, but an argument can certainly be made. Rust proc macros can run arbitrary code at compile time. Build scripts can also do this.

This means, adding a dependency in Cargo.toml is often enough for that dependency to run arbitrary code (as rust-analyzer will likely immediately compile it).

In practice, I don't think this is much worse than a dependency being able to run arbitrary code at runtime, but some people clearly do.

[–] kevincox@lemmy.ml 1 points 1 year ago (1 children)

I don't know if it is a huge issue but it is definitely a nice to have. There are a few examples I can think of:

  1. I open the code in my IDE but build somewhere sandboxed. It would be nice if my IDE didn't execute the code and can still do complete analysis of the project. This could also be relevant when reviewing code. Often for big changes I will pull it locally so that I can use my IDE navigation to browse it. But I don't want to run the change until I finish my review as there may be something dangerous there.
  2. I am working on a WebAssembly project. The code will never run on my host machine, only in a browser sandbox.
  3. I want to do analysis on Rust projects like linting, binary size analysis. I don't want to actually run the code and want it to be secure.
  4. I want to offer a remote builder service.

I'm sure there are more. For me personally it isn't a huge priority or concern but I would definitely appreciate it. If people are surprised that building a project can compromise their machine than they will likely build things assuming that it won't. Sure, in an ideal world everyone would do their research but in general the safer things are the better.

[–] PlexSheep@feddit.de 1 points 1 year ago

Analyzing without running might lead to bad situations, in which code behaves differently on runtime vs what the compiler / rust-analyzer might expect.

Imagine a malicious dependency. You add the thing with cargo, and the rust analyzer picks it up. The malicious code was carefully crafted to stay undetected, especially in static code analysis. The rust analyzer would think that the code does different things than it actually will. Could potentially lead to problematic behavior, idk.

Not sure how realistic that scenario is, or how exploitable.