From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: =?utf-8?B?Sm/Do28gVMOhdm9yYQ==?= Newsgroups: gmane.emacs.devel Subject: Safety of elisp-flymake-byte-compile (Was Re: [Emacs-diffs] scratch/allow-custom-load-paths) Date: Sat, 08 Dec 2018 13:23:09 +0000 Message-ID: <87sgz89mpu.fsf_-_@gmail.com> References: <20181204233600.7907.75252@vcs0.savannah.gnu.org> <20181204233601.273DD209DC@vcs0.savannah.gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1544275334 7673 195.159.176.226 (8 Dec 2018 13:22:14 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 8 Dec 2018 13:22:14 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: Glenn Morris , Stefan Monnier To: emacs-devel Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 08 14:22:10 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gVcYZ-0001q8-Pz for ged-emacs-devel@m.gmane.org; Sat, 08 Dec 2018 14:22:08 +0100 Original-Received: from localhost ([::1]:50921 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gVcag-000115-9g for ged-emacs-devel@m.gmane.org; Sat, 08 Dec 2018 08:24:18 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37562) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gVcZu-00010o-3e for emacs-devel@gnu.org; Sat, 08 Dec 2018 08:23:31 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gVcZs-00085Z-Vm for emacs-devel@gnu.org; Sat, 08 Dec 2018 08:23:30 -0500 Original-Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]:39286) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gVcZl-0007uN-KN; Sat, 08 Dec 2018 08:23:23 -0500 Original-Received: by mail-wr1-x431.google.com with SMTP id t27so6250752wra.6; Sat, 08 Dec 2018 05:23:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=y5r390z2uGok6MUl3wnVF0DDDxbyvGK3FMalmETMgUk=; b=oAX0/rN0BG45fwyj5P03Zr7QDqFgRZS2dxQiK2P5FSsXzx5wYbjTody4h7Ce1p03UO trx6e+rtuZEpBHoAwDkpsMGLRna73PTP3yNW0Wiw66H59L5XQAOTtpLBLvjtL2WHbM04 eqFnfLaVtY7WVHAm5qeKDlQbxK9k79huPNl3lzStlSt6AmgeBHLbwWHJaZ6OIsOEl/pp 8XmKQvKXl1/1Ly2/wK0Zuvys12JGzvM4seb9yDgNnLSqSnmFtUUqUaU/wCWEPWQwxPs9 h6rA9gmiCyiG6MwF7L4n8Fd9aQXcjsXyeivOgUZXMsrQ8kzfquJz+lpsKkZIRXy7Mzhx H4kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=y5r390z2uGok6MUl3wnVF0DDDxbyvGK3FMalmETMgUk=; b=ZPsRkDod9dIv0XEL2zEVPabyFR2ZairXZPDgtrzXutOHdoHo2QIA8F+HZdupdfrQqe 28xELG2O+xZU6UcqiiE8RQwWmEDe0ABZExGiWroJiuf1y0zv7so7TSX3XKoB6xvhROD5 HrBfPn/W6IEQfay/n6B59fHgeLYkKz16VtO+ba8Paj8oHfn84U8wioUKmzpVyzgjJI/r hd9gvwB6ApOecB6UkOnddBPi9Obxm7WbLmauY04tCIVJ3nnQcUKwe8FG5lxdI6Wg65wN q4jnGAzC9/gX5TngNesG9u0u3JikpxEW8ruPI2UCOiiyMeBFh6VVZReomV0gV6mFi/Md NCeg== X-Gm-Message-State: AA+aEWZuCCuRPwB2hAWjzOyuIOGfbWMF5AY7085cUZySucw4mD4zCXXX c715LIecYVLiJ7pX2m5VFfZpuIC2 X-Google-Smtp-Source: AFSGD/WqRHiHY3efJdSNP94mkx6YaqJjiObs7eJs21Ma1rM/ua0dQH8BHOiyx3bPTwBgiRfcO2hEbA== X-Received: by 2002:adf:f8d2:: with SMTP id f18mr4607236wrq.265.1544275398953; Sat, 08 Dec 2018 05:23:18 -0800 (PST) Original-Received: from lolita.yourcompany.com (188.139.62.94.rev.vodafone.pt. [94.62.139.188]) by smtp.gmail.com with ESMTPSA id n15sm10197720wrt.21.2018.12.08.05.23.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 08 Dec 2018 05:23:18 -0800 (PST) In-Reply-To: (=?utf-8?Q?=22Jo=C3=A3o_T=C3=A1vora=22's?= message of "Wed, 5 Dec 2018 20:40:07 +0000") X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::431 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:231721 Archived-At: Jo=C3=A3o T=C3=A1vora writes: > On Wed, Dec 5, 2018, 20:00 Glenn Morris > >> +(put 'elisp-flymake-byte-compile-load-path 'safe-local-variable > >> + (lambda (x) (and (listp x) (catch 'tag > >> + (dolist (path x t) (unless (string= p path) > >> + (throw 'tag n= il))))))) > > AFAICS the above tests whether the value is valid, not whether it is saf= e. > This should probably be a risky-local-variable, like load-path is. > The default "." seems actively dangerous, in much the same way as having > "." in a shell's PATH is. > > Glenn, > > As i tried to explain, I added the validity spec to the variable, > precisely because I thought 4 was pretty far-fetched, and couldn't > find any other plausible scenario. Can you? Hello again, In the absence of further comments I was going to push this change today to master (before I discovered that I already did so some days ago, inadvertently, when I was pushing another flymake-related change, so sorry about that). But I'd like to continue the discussion of elisp-flymake-byte-compile's safety. I think something should be done to address it, even if flymake-mode never makes it into emacs-lisp-mode-hook.=20=20 To illustrate the dimension of the problem, some time ago I was editing an .el file that had some macros in it and macroexpansions of said macros in it. In the middle of writing the macro body, I wrote the list (delete-directory default-directory) I never compiled this file or executed this form explicitly in any way. I merely typed it out, in the wrong place at the wrong time :-) A few minutes later I discovered that my project directory was completely wiped out: elisp-flymake-byte-compile has deleted when to byte-compiling my buffer for warnings. Thanks to Emacs's buffers, git, and auto-save strategies, it was easy to recover the lost directory, but obviously it could have been much more serious that this... So here's what could improve the situation: 1. Create a elisp-flymake-maybe-enable function that checks the buffer for top-level forms that _could_ make it unsafe for byte-compiling on the fly. This would include, but not limited to, eval-and-compile, eval-when-compile, defmacro, cl-defmacro, any "unknown" top-level form. This will generate a lot of false positives (positive meaning "unsafe") but perhaps it could be made to generate 0 false negatives and still successfully vet a good number of elisp files. 2. In elisp-flymake-byte-compile, disable a significant chunk of Emacs's system interface in the slave emacs, including file-system write access and network access. Either pass a switch to the subprocess invocation or do the byte-compilation in a dynamic environment where most of these primitives are disabled, i.e. via cl-letf. It would be nice to exempt `load` from this. 3. After 1. and/or 2. re-evaluate the relative safety of elisp-flymake-byte-compile-load-path I think 2. would be easier to do. Some elisp files checked this way would possibly report false diagnostics, but at least it would be slightly safer to enable flymake in elisp-mode. Jo=C3=A3o=20=20=20