https://github.com/eleijonmarck/do-not-compile-this-code

Skip to content Toggle navigation
 
Sign up

  * Product
      +  
        Actions
        Automate any workflow
      +  
        Packages
        Host and manage packages
      +  
        Security
        Find and fix vulnerabilities
      +  
        Codespaces
        Instant dev environments
      +  
        Copilot
        Write better code with AI
      +  
        Code review
        Manage code changes
      +  
        Issues
        Plan and track work
      +  
        Discussions
        Collaborate outside of code
      + Explore
      + All features
      + Documentation
      + GitHub Skills
      + Blog
  * Solutions
      + For
      + Enterprise
      + Teams
      + Startups
      + Education
      + By Solution
      + CI/CD & Automation
      + DevOps
      + DevSecOps
      + Case Studies
      + Customer Stories
      + Resources
  * Open Source
      +  
        GitHub Sponsors
        Fund open source developers
      +  
        The ReadME Project
        GitHub community articles
      + Repositories
      + Topics
      + Trending
      + Collections
  * Pricing

[                    ] 

  *  
    #
    In this repository All GitHub |
    Jump to |

  * No suggested jump to results

  *  
    #
    In this repository All GitHub |
    Jump to |
  *  
    #
    In this user All GitHub |
    Jump to |
  *  
    #
    In this repository All GitHub |
    Jump to |

Sign in
Sign up
{{ message }}
eleijonmarck / do-not-compile-this-code Public

  * Notifications
  * Fork 0
  * Star 10

License

MIT license
10 stars 0 forks
Star
Notifications

  * Code
  * Issues 0
  * Pull requests 0
  * Actions
  * Projects 0
  * Security
  * Insights

More

  * Code
  * Issues
  * Pull requests
  * Actions
  * Projects
  * Security
  * Insights

eleijonmarck/do-not-compile-this-code

This commit does not belong to any branch on this repository, and may
belong to a fork outside of the repository.
master
Switch branches/tags
[                    ]
Branches Tags
Could not load branches
Nothing to show
{{ refName }} default View all branches
Could not load tags
Nothing to show
{{ refName }} default
View all tags

Name already in use

A tag already exists with the provided branch name. Many Git commands
accept both tag and branch names, so creating this branch may cause
unexpected behavior. Are you sure you want to create this branch?
Cancel Create
1 branch 0 tags
Code

  * Local
  * Codespaces

  *  
    Clone
    HTTPS GitHub CLI
    [https://github.com/e]

    Use Git or checkout with SVN using the web URL.

    [gh repo clone eleijo]

    Work fast with our official CLI. Learn more.

  * Open with GitHub Desktop
  * Download ZIP

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

@eleijonmarck
eleijonmarck Update README.md
...
e1fc2c0 Mar 18, 2023
Update README.md
e1fc2c0

Git stats

  * 8 commits

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
do_not_compile_this_code
initial commit
March 18, 2023 21:28
innocent_lib
initial commit
March 18, 2023 21:28
LICENSE
initial commit
March 18, 2023 21:28
README.md
Update README.md
March 18, 2023 21:57
View code
Arbitrary code execution during compliation POC Try it out yourself:

README.md

 Arbitrary code execution during compliation POC

This proof-of-concept demonstrates how Rust macros can be abused to
interact with the machine that the compliation happens on. When the
do_not_compile_this_code is opened in VS Code with the rust-analyzer
plugin, the editor expands the some_macro!() macro. This macro reads
then content of ~/.ssh/id_rsa_do_not_try_this_at_home and deletes the
file. This behavior also occurs when cargo build is run or when the
application is run.

The key insight is that Rust macros are expanded before/during
compilation, i.e. arbitrary code execution during compilation. This
is a demostration that this is a huge vulnerability in the rust
ecosystem that needs to be taken seriosly.

 Try it out yourself:

  * Clone this repo

git clone https://github.com/eleijonmarck/do-not-run-this-code.git

  * Create an SSH key at ~/.ssh/id_rsa_do_not_try_this_at_home with
    sample contents

echo "do not try this at home" > ~/.ssh/id_rsa_do_not_try_this_at_home

  * Open do_not_compile_this_code in your IDE (eg: VSCode) with
    rust-analyzer

Once open, VSCode will analyze and index the code, including the
expansion of macros, then you should see the contents of your .ssh/
id_rsa_do_not_try_this_at_home will be deleted.  oops!

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Stars

10 stars

Watchers

2 watching

Forks

0 forks

Releases

No releases published

Packages 0

No packages published

Languages

  * Rust 100.0%

Footer

 (c) 2023 GitHub, Inc.

Footer navigation

  * Terms
  * Privacy
  * Security
  * Status
  * Docs
  * Contact GitHub
  * Pricing
  * API
  * Training
  * Blog
  * About

You can't perform that action at this time.
You signed in with another tab or window. Reload to refresh your
session. You signed out in another tab or window. Reload to refresh
your session.