edit; since this got out the team has reached out and said that it is by design. rust-lang/rust-analyzer#14375
This proof-of-concept demonstrates how Rust macros can be abused to interact with the machine that the compliation happens on. When the do_not_compile_this_code is opened in VS Code with the rust-analyzer plugin, the editor expands the some_macro!() macro. This macro reads then content of ~/.ssh/id_rsa_do_not_try_this_at_home and deletes the file. This behavior also occurs when cargo build is run or when the application is run.
The key insight is that Rust macros are expanded before/during compilation, i.e. arbitrary code execution during compilation. This is a demostration that this is a huge vulnerability in the rust ecosystem that needs to be taken seriously.
Screen.Recording.2023-03-18.at.21.40.59.mov
- Clone this repo
git clone https://github.com/eleijonmarck/do-not-run-this-code.git- Create an SSH key at ~/.ssh/id_rsa_do_not_try_this_at_home with sample contents
echo "do not try this at home" > ~/.ssh/id_rsa_do_not_try_this_at_home- Open
do_not_compile_this_codein your IDE (eg: VSCode) withrust-analyzer
Once open, VSCode will analyze and index the code, including the expansion of macros, then you should see the contents of your .ssh/id_rsa_do_not_try_this_at_home will be deleted. 🤫 oops!
For more information there is some great discussion on the hackernews thread - https://news.ycombinator.com/item?id=35213400