Proc macro sandboxing - eviltoast
  • PlexSheep@feddit.de
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Analyzing without running might lead to bad situations, in which code behaves differently on runtime vs what the compiler / rust-analyzer might expect.

    Imagine a malicious dependency. You add the thing with cargo, and the rust analyzer picks it up. The malicious code was carefully crafted to stay undetected, especially in static code analysis. The rust analyzer would think that the code does different things than it actually will. Could potentially lead to problematic behavior, idk.

    Not sure how realistic that scenario is, or how exploitable.