[HN Gopher] Arbitrary code execution during compilation - rust ___________________________________________________________________ Arbitrary code execution during compilation - rust Author : eleijonmarck Score : 20 points Date : 2023-03-18 21:45 UTC (1 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | eleijonmarck wrote: | POC to demonstrate how to delete files when cargo build runs | winstonewert wrote: | So... if I'm using a third party crate, I'm already trusting it | not to do bad things in my running application. Why is it such a | big deal that it could do bad things during build time just | before I run it? If I'm using a third party crate... I've got to | trust it one way or the other. So what's the big deal here? | mocko wrote: | In the context of a long-lived build server it could | permanently compromise the machine, allowing an attacker to | modify any other package you publish from there and maintain | that access even after Rust has been fixed. | the_mitsuhiko wrote: | If that build server runs tests too the surface area of such | an attack is similar. | revelio wrote: | We must start systematically sandboxing developer tools. It's | scary how sensitive dev workspaces are, and how much random crap | we run. After decades of training the world's parents and | grandparents not to download and run programs from untrusted | sources we now routinely do it ourselves. | jagrsw wrote: | Most reasonable companies/projects do that. I believe the | compiler explorer project - https://godbolt.org/ - uses nsjail | or maybe firejail for that - https://github.com/compiler- | explorer/compiler-explorer/tree/... int main() | { asm(".incbin \"/etc/passwd\"\n") } | eleijonmarck wrote: | I filed a issue on `rust-analyzer` and apparently it is by design | - https://github.com/rust-lang/rust-analyzer/issues/14375 | landr0id wrote: | I mean it's fairly obvious. You can do this through build.rs | files as well. | | There was talk about trying to compile proc macros to WASM and | run them sandboxed in the compiler. Not sure what happened to | that RFC (by dtolnay?) | alkonaut wrote: | Afaik you don't even need to use macros for this, can't you just | put a build.rs file in the crate and it will execute on build? | | Almost all build/project systems I know have this functionality | simply because execution of arbitrary programs is too useful to | go without. Any C# project (.csproj) for example can include a | task that eats your homework. | | It's scary but I don't see a solution like sandboxing being very | easy to retrofit either. | jiggawatts wrote: | The mistake is that arbitrary transformations != arbitrary | code. | | I want the build process to be able to generate arbitrary code | _based on the inputs given to it_ from the source control -- | but nothing else. No reaching out to HTTP command and control | endpoints, making database calls, or deleting my home | directory. | | It's not just because of security. Security is a _side-benefit_ | here. | | The real benefit is that unrestricted build processes cannot be | versioned with source control. If the build process can "reach | out" and pull in data from external sources, then it will | always use the "latest" version, not the version in that branch | or commit. | | It's about being hygienic. | jhgg wrote: | Then avoid crates that do such things. Other people however | are able to make use of compile time code execution to do | some pretty awesome things. For example, a database library | sqlx can check all the SQL in your code as being | syntactically correct, and also typed correctly against a | test database at compile time. A feature that is useful and | convenient for users of the library. | Longlius wrote: | I would expect any sufficiently powerful macro system would have | to be this way. | | Don't most editors ask you whether or not you want to trust some | code before opening it with full privileges anyway? | landr0id wrote: | Yes, which was kind of a result of people making a fuss about | this a year or two ago iirc. | proctrap wrote: | Old, it's not new that macro expansions, build files and build | tooling can do that. (And if we sandboxed that, you still get | infected release builds, check your deps..) | | See NPM installations and "please sponsor this project" messages, | which can also give you a virus. ___________________________________________________________________ (page generated 2023-03-18 23:00 UTC)