From: "João Távora" <joaotavora@gmail.com>
To: emacs-devel <emacs-devel@gnu.org>
Cc: Glenn Morris <rgm@gnu.org>, Stefan Monnier <monnier@iro.umontreal.ca>
Subject: Safety of elisp-flymake-byte-compile (Was Re: [Emacs-diffs] scratch/allow-custom-load-paths)
Date: Sat, 08 Dec 2018 13:23:09 +0000 [thread overview]
Message-ID: <87sgz89mpu.fsf_-_@gmail.com> (raw)
In-Reply-To: <CALDnm524yZReQO_gN7-8nLQuoUNXcSLgZQT=rvOw5mAbJS9h9g@mail.gmail.com> ("João Távora"'s message of "Wed, 5 Dec 2018 20:40:07 +0000")
João Távora <joaotavora@gmail.com> writes:
> On Wed, Dec 5, 2018, 20:00 Glenn Morris <rgm@gnu.org wrote:
>
> >> +(put 'elisp-flymake-byte-compile-load-path 'safe-local-variable
> >> + (lambda (x) (and (listp x) (catch 'tag
> >> + (dolist (path x t) (unless (stringp path)
> >> + (throw 'tag nil)))))))
>
> AFAICS the above tests whether the value is valid, not whether it is safe.
> This should probably be a risky-local-variable, like load-path is.
> The default "." seems actively dangerous, in much the same way as having
> "." in a shell's PATH is.
>
> Glenn,
>
> As i tried to explain, I added the validity spec to the variable,
> precisely because I thought 4 was pretty far-fetched, and couldn't
> find any other plausible scenario. Can you?
Hello again,
In the absence of further comments I was going to push this change today
to master (before I discovered that I already did so some days ago,
inadvertently, when I was pushing another flymake-related change, so
sorry about that).
But I'd like to continue the discussion of elisp-flymake-byte-compile's
safety. I think something should be done to address it, even if
flymake-mode never makes it into emacs-lisp-mode-hook.
To illustrate the dimension of the problem, some time ago I was editing
an .el file that had some macros in it and macroexpansions of said
macros in it. In the middle of writing the macro body, I wrote the list
(delete-directory default-directory)
I never compiled this file or executed this form explicitly in any way.
I merely typed it out, in the wrong place at the wrong time :-) A few
minutes later I discovered that my project directory was completely
wiped out: elisp-flymake-byte-compile has deleted when to byte-compiling
my buffer for warnings.
Thanks to Emacs's buffers, git, and auto-save strategies, it was easy to
recover the lost directory, but obviously it could have been much more
serious that this...
So here's what could improve the situation:
1. Create a elisp-flymake-maybe-enable function that checks the buffer
for top-level forms that _could_ make it unsafe for byte-compiling on
the fly. This would include, but not limited to, eval-and-compile,
eval-when-compile, defmacro, cl-defmacro, any "unknown" top-level
form. This will generate a lot of false positives (positive meaning
"unsafe") but perhaps it could be made to generate 0 false negatives
and still successfully vet a good number of elisp files.
2. In elisp-flymake-byte-compile, disable a significant chunk of Emacs's
system interface in the slave emacs, including file-system write
access and network access. Either pass a switch to the subprocess
invocation or do the byte-compilation in a dynamic environment where
most of these primitives are disabled, i.e. via cl-letf. It would be
nice to exempt `load` from this.
3. After 1. and/or 2. re-evaluate the relative safety of
elisp-flymake-byte-compile-load-path
I think 2. would be easier to do. Some elisp files checked this way
would possibly report false diagnostics, but at least it would be
slightly safer to enable flymake in elisp-mode.
João
next prev parent reply other threads:[~2018-12-08 13:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20181204233600.7907.75252@vcs0.savannah.gnu.org>
[not found] ` <20181204233601.273DD209DC@vcs0.savannah.gnu.org>
2018-12-05 4:34 ` [Emacs-diffs] scratch/allow-custom-load-paths-in-elisp-flymake 4ef9711: Allow custom load paths in elisp's byte-compilation Flymake Stefan Monnier
2018-12-05 15:14 ` João Távora
2018-12-05 20:00 ` Glenn Morris
2018-12-05 20:40 ` João Távora
2018-12-08 13:23 ` João Távora [this message]
2018-12-08 15:36 ` Safety of elisp-flymake-byte-compile (Was Re: [Emacs-diffs] scratch/allow-custom-load-paths) Stefan Monnier
2018-12-10 0:20 ` João Távora
2018-12-10 2:22 ` Stefan Monnier
2018-12-10 23:17 ` João Távora
2018-12-11 14:03 ` Stefan Monnier
2018-12-14 12:00 ` João Távora
2018-12-14 12:15 ` Stefan Monnier
2018-12-14 13:09 ` João Távora
2018-12-14 13:27 ` Stefan Monnier
2018-12-14 13:38 ` João Távora
2018-12-14 14:13 ` Stefan Monnier
2018-12-11 19:30 ` Sandboxing (was: Safety of elisp-flymake-byte-compile) Stefan Monnier
2018-12-14 1:35 ` Sandboxing João Távora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sgz89mpu.fsf_-_@gmail.com \
--to=joaotavora@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).