extend pragma(msg) with writing to file
bauss
jacobbauss at gmail.com
Thu Oct 6 12:08:16 UTC 2022
On Thursday, 6 October 2022 at 09:55:34 UTC, a11e99z wrote:
> for example
> for generating sources for other languages (interop)
> or for viewing/checking auto generated code
> ```d
> version (CS) pragma("interop.file.cs", ...);
> pragma("just.to.check.generated.code.d", ...);
> ```
>
> 1) I know that exists security issues with it but IDK which
> one. so explain please.
>
> 2) allow writing file only to folder (compiler choice) **"g"**
> or **"gen"** for current source file or for current project.
> disallow any changing folder symbols like '/', '\\', "..", and
> less than ASCII SPACE etc
That is never going to be implemented, has been suggested before
that compile-time file writing should be supported.
It's a very controversial topic because there's a huge security
risk in allowing third-parties access to your filesystem,
especially without executing an application or anything and
simply from building source code or it being a dependency of some
other package.
The risk is much greater when I/O happens at compile-time because
it's very difficult for ex. an AV to pick up on malicious intend
when it can't really scan for malicious executable code, as AVs
typically aren't scanning source codes.
So while you could argue that someone could create malicious code
and compile it with your program and the result would be the
same, then the difference in it is that if the malicious code
runs at compile-time then your system most likely won't pick up
on it and protected, while if the same code ran at runtime then
your system will most likely do so.
More information about the Digitalmars-d
mailing list