Stream: t-compiler/rust-analyzer

Topic: vscode bad_actor


bynx (May 20 2021 at 17:42, on Zulip):

Wondering if anyone has seen this yet (code exec via macro expansion when loading a crate in VSCode)?

https://github.com/lucky/bad_actor_poc

Jonas Schievink [he/him] (May 20 2021 at 17:43, on Zulip):

of course :)

bynx (May 20 2021 at 17:44, on Zulip):

Cool cool haha. I figured - but just wanted to double check

Edwin Cheng (May 20 2021 at 22:21, on Zulip):

And see also: https://rust-analyzer.github.io/manual.html#security

Daniel Frampton (May 21 2021 at 16:35, on Zulip):

It could be interesting to look at the workspace trust feature of vscode https://github.com/microsoft/vscode/issues/120251

Jonas Schievink [he/him] (May 21 2021 at 16:36, on Zulip):

yeah, that seems like a good solution

Jonas Schievink [he/him] (May 21 2021 at 16:36, on Zulip):

is it exposed via LSP?

Daniel Frampton (May 21 2021 at 16:44, on Zulip):

I don't know the details, but I am happy to help find out. I might go ahead and get an issue created in https://github.com/rust-analyzer/rust-analyzer

Daniel Frampton (May 21 2021 at 16:57, on Zulip):

It looks fairly simple to just add the capability setting to always require trust, which might be the right approach for now. But in theory it might be possible to support the limited mode and provide some functionality.

Jonas Schievink [he/him] (May 21 2021 at 16:59, on Zulip):

implementation-wise the untrusted mode would basically require us to never run any external commands

Daniel Frampton (May 21 2021 at 17:01, on Zulip):

I am guessing it would be possible to have a mode that provided intellisense for a project with no build.rs or proc_macros, but it would require some care to make sure it was done right.

Jonas Schievink [he/him] (May 21 2021 at 17:07, on Zulip):

what if r-a would do std::env::remove_var("PATH")? that would make it impossible to invoke most external programs. ah, but I guess Windows searches the current directory first

Daniel Mcnab (May 21 2021 at 17:09, on Zulip):

Impossible to invoke most external programs, apart from literally every external program just by passing in an absolute path.

Jonas Schievink [he/him] (May 21 2021 at 17:09, on Zulip):

yes, but that doesn't happen by accident

Jonas Schievink [he/him] (May 21 2021 at 17:10, on Zulip):

I'm trying to safeguard against an accidental cargo invocation or something similar while in untrusted mode

Daniel Frampton (May 21 2021 at 18:13, on Zulip):

In any case, I think once you enable the trusted workspaces feature the default is to require trust to run rust-analyzer. So it might be that we don't really need to do anything here unless we want to support the limited mode. Though we could add the option in the package.json to make that explicit.

Laurențiu (May 22 2021 at 04:30, on Zulip):

Daniel Frampton said:

I am guessing it would be possible to have a mode that provided intellisense for a project with no build.rs or proc_macros, but it would require some care to make sure it was done right.

That would provide no rustc diagnostics either.

Last update: Jul 26 2021 at 12:45UTC