Flycheck 的 Emacs Lisp 语法检查依赖于 Emacs Byte Compiler(当然 Flymake 应该也一样),而 Byte Compile 时会执行代码来展开宏,这里会有安全隐患,比如这样一个宏:
(defmacro foo ()
(shell-command "date >> /tmp/foo"))
如果开启了 Flycheck,这个 Shell 命令会不断地执行:
我想到这个是因为昨天看了:
7 个赞
如果你开了 global-flycheck-mode,就要注意不能随便点开别人给你发的 Emacs Lisp 文件。
考虑发下邮件?
给flycheck开发者报bug吧
这个感觉不好解决吧, 我刚刚试了一下 flymake 也是一样的
确实应该向上游报告。
尽管我估计开发者十有八九清楚这个问题,而且 Flycheck、Flymake 本身不太可能解决这个问题,得专门写个安全的 Emacs Lisp 语法检查器或者给 Emacs 加个 Sandbox,这远远超出了 Flycheck、Flymake 的范畴。
我的意思是报给emacs,主题是 A Secure Emacs Lisp Analyzer Required 之类的。
以后只能在docker中玩emacs了?
一个naive的方法是可选地禁止某些函数在宏展开的时候运行。
比如设置一个变量inhibit-risky-macro-expand-function,然后像risky-local-variable那样把一些函数标记为risky-macro-expand-function,比如I/O操作,fork process,等等。如果inhibit-risky-macro-expand-function为t,展开宏的时候就不运行这些函数。
语法检查器就可以let bind inhibit-risky-macro-expand-function为t。
别的lisp编辑器是怎么解决这个问题的?@ldbeth
To address this problem, compilers can support a subjunctive environment [9], a special LISP environment which is quarantined from the current environment for the purposes of compilation. (IBM’s Yorktown Lisp compiler provided saved states for this purpose [10]). A LISP environment is presumably everything with dynamic extent that can be changed by evaluating top-level forms in user code; it can include the data for the reader, definitions for macros, structures, setf methods, and types, special proclamations, and even function definitions. The purpose of a subjunctive environment is to insulate the current environment from side-effects of using the compiler. The compiler runs in its own subjunctive environment.
我感觉他讲的跟安全隐患不太一样,他说的危险是污染运行环境,而不是执行代码本身可能的危害。
Evaluating arbitrary user code in the current LISP environment can be dangerous, because it may break existing code by redeiining existing functions and macros, altering the properties of symbols, or changing the state of the reader.10 It can also change the behavior of functions
我只挑了怎么做。你大概沒看全。
哦,xuchunyang举例用的是(shell-command),之后又说说「注意不能随便点开别人给你发的 Emacs Lisp 文件。」我就以为他说的安全隐患是指恶意代码运行rm -rf ~之类的,而不是你说的那些。
我也是这么理解的~~~ 