Build Security

robofinch:

Malware doesn’t need to be future-proof, and if a proc-macro is compiled to the host’s target (presumably capable of running some form of not-sandboxed assembly), it could conceivably find a way to execute whatever assembly it wants via UB

It wouldn't even really have to be UB, just some form of system-specific transmute (which is possible even in safe Rust by exploiting type-system soundness bugs – it isn't supposed to be but there are numerous ways to do it in practice). Operating systems are gradually starting to move away from the model of "any read-only part of the executable image can be executed", but there are still lots of computers around which do have that rule, so on such computers a program would just need to create a constant static array of bytes that represented the code it wanted to run, then transmute a reference to it (either using unsafe code or using a type-system soundness hole) into a fn and call it. This sort of transmute isn't obviously even undefined behavior (although it is highly system-specific).

In general, Rust's security model is not designed to defend against malicious code given as input to the compiler (as opposed to malicious input given to a program at runtime) and thus any sort of build-time sandboxing has to be outside the Rust language itself.