extend pragma(msg) with writing to file
Andrey Zherikov
andrey.zherikov at gmail.com
Fri Oct 7 16:22:22 UTC 2022
On Thursday, 6 October 2022 at 12:08:16 UTC, bauss wrote:
> It's a very controversial topic because there's a huge security
> risk in allowing third-parties access to your filesystem,
> especially without executing an application or anything and
> simply from building source code or it being a dependency of
> some other package.
>
> The risk is much greater when I/O happens at compile-time
> because it's very difficult for ex. an AV to pick up on
> malicious intend when it can't really scan for malicious
> executable code, as AVs typically aren't scanning source codes.
We already have read compile-time access to a system by
[`import("foo.txt")`](https://dlang.org/spec/expression.html#import_expressions). How does write access change the risk in principle?
> So while you could argue that someone could create malicious
> code and compile it with your program and the result would be
> the same, then the difference in it is that if the malicious
> code runs at compile-time then your system most likely won't
> pick up on it and protected, while if the same code ran at
> runtime then your system will most likely do so.
It's possible to prevent inclusion of generated file into the
compilation. For example, generated file might not be in any
-I/-J (sub)dirs.
More information about the Digitalmars-d
mailing list