Stealing secrets with Rust macros

[reinerh]

I just stumbled on this PoC project that demonstrates that simply opening a Rust project in VScode (or just building it on CLI) will read secret files and send them over network: https://github.com/lucky/bad_actor_poc

Firejail would protect against reading the SSH key when starting VScode, but it looks like we still miss a cargo profile. :-)

[rusty-snake]

Stealing ssh-keys in build.rs works too. And build.rs is executed if you link against bad-crate (i.e. it is in Cargo.toml). Proc-macros aren't executed as long as you don't call them.

That are the default-prefs of gnome-builder for (semantic) code-completion, warnings/annotation. As you can see Stylelint, ESlint and Pylint are disabled by default because they may execute code (e.g. setup.py?). But cargo check executes no code!1!!!11!