Hacker News new | ask | show | jobs
by duped 1862 days ago
This is as huge a deal as "using ./configure && make install to exfiltrate secrets."

It's a class of supply chain attack focusing on build time code evaluation. Almost every programming language has some kind of support for arbitrary code execution at build time, and any project of scale is going to require it.

RCE isn't an interesting exploit when the system is literally designed to run code from somewhere else.
2 comments
not2b 1862 days ago
No, it's worse. People will have very different expectations. Running 'make install' especially as root implies a high level of trust, so users will be appropriately cautious. Users won't expect that simply opening code in an editor will be similarly risky (though it's similar to malicious Word and Excel macros, Office now disables those by default for documents coming from an untrusted source, like via email).
link
j4yav 1862 days ago
This isn’t build time though really, which I agree is a moment you would expect to run arbitrary code. This is “edit time.”
link
duped 1862 days ago
It is build time. Whether rust-analyzer should run build-time code at initialization is a different discussion.
link
j4yav 1861 days ago
That is a more philosophical definition of build time than what I am referring to.
link
duped 1861 days ago
It's not philosophical, it is literal.

Rust macros and build.rs require build commands to be executed by the rust compiler (cargo check, for example).

These are third party tools that have been implemented to execute build commands during initialization. It's not an issue with Rust, it's an issue with the implementation of the language client and text editor allowing the client to initialize when opening a workspace.

link
j4yav 1861 days ago
What I mean is that my definition of build time is more things that happen when you are running a build. If you do build time things at other times then I don’t personally consider them build time activities any more. You have converted your build time activities into something more general at that point.

They may be spiritually or metaphorically still build steps in some sense, but they are happening outside that context.

link