149
Proc macro sandboxing
(lemmy.ml)
Post funny things about programming here! (Or just rant about your favourite programming language.)
Why would they need to be?
[This comment has been deleted by an automated system]
I don't think this is a problem with proc macros or package managers. This is just a regular supply chain attack, no?
The way I understand it, sandboxing would be detrimental to code performance. Imagine coding a messaging system with a serve struct, only for serde code to be much slower due to sandboxing. For release version it could be suggested to disable sandboxingy but then we would have gained practically nothing.
In security terms, being prepared for incidents is most often better than trying to prevent them. I think this applies here too, and cargo helps here. It can automatically update your packages, which can be used to patch attacks like this out.
If you think I'm wrong, please don't hesitate to tell me!
[This comment has been deleted by an automated system]
I personally don't think they do, but an argument can certainly be made. Rust proc macros can run arbitrary code at compile time. Build scripts can also do this.
This means, adding a dependency in Cargo.toml is often enough for that dependency to run arbitrary code (as rust-analyzer will likely immediately compile it).
In practice, I don't think this is much worse than a dependency being able to run arbitrary code at runtime, but some people clearly do.
I don't know if it is a huge issue but it is definitely a nice to have. There are a few examples I can think of:
I'm sure there are more. For me personally it isn't a huge priority or concern but I would definitely appreciate it. If people are surprised that building a project can compromise their machine than they will likely build things assuming that it won't. Sure, in an ideal world everyone would do their research but in general the safer things are the better.
Analyzing without running might lead to bad situations, in which code behaves differently on runtime vs what the compiler / rust-analyzer might expect.
Imagine a malicious dependency. You add the thing with cargo, and the rust analyzer picks it up. The malicious code was carefully crafted to stay undetected, especially in static code analysis. The rust analyzer would think that the code does different things than it actually will. Could potentially lead to problematic behavior, idk.
Not sure how realistic that scenario is, or how exploitable.