Open technomancy opened 10 months ago
ericdallo
commented
9 months ago Thanks for the report @technomancy, clojure-lsp has a general waterfall settings checking from project to home dir, but maybe we could check only the home one for this one somehow. Also we don't have ATM a way to fallback for classpath lookup commands, we would need to support that, unless we think in a way the fallback is not needed.
technomancy
commented
9 months ago Honestly I don't know that I have enough context to say what the right thing to do here is. Thinking about this more, there are legitimate and safe reasons to want to override the classpath command on a per-project basis; maybe clojure-lsp guesses wrong and you want the project to set an override to a different command, but the other command is still safe.
I've never used deps.edn or any of the other classpath calculation tools. Are they safe to run on untrusted projects? (Disabling *read-eval* etc?) I see that there is also a :java-command config setting which could trivially be overridden by an untrusted project to run arbitrary code.
It's clear to me that my original suggestion of "avoid lein classpath and use lein static-classpath instead" is insufficient for the purposes of achieving "opening an untrusted file shouldn't pwn your system"; it's a small part of the puzzle, but there's a lot more to it. From my perspective, I want to make sure that static-classpath is available for people who want to do the work of making the tooling safe, but I don't think I can be the one to do that work, and I don't know how much of a priority it is for the maintainers of clojure-lsp.
Is your feature request related to a problem? Please describe. It should be possible to safely open an untrusted file without running code that's part of the project.
Imagine you are looking at a codebase, and you're not sure if you can trust the code. You open up one of its files in your editor to read it and see if it's safe or not. Since your editor has
clojure-lspconfigured, this starts up analysis. On the bright side,clojure-lspdoes not execute any of the project code in thesrc/directory. However, it does runlein classpath, which executesproject.clj. If the project is in fact unsafe, your machine has now been compromised.Describe the solution you'd like When
clojure-lspdetects a Leiningen project, it should try runninglein static-classpathfirst instead oflein classpathsince the former is safe to run in any project. Since this task is relatively new, it should probably fall back tolein classpathif the former fails.https://codeberg.org/leiningen/leiningen/commit/62175459ac3cde9faf0f812ec202ef25a8e9cb11
I'm open to suggestions for improvements to the implementation of
static-classpath.Additional context It should be possible to configure it so it never performs the unsafe fallback. It should probably also be possible to configure it so it always prefers
lein classpathsince there are projects that need plugins in order to calculate the classpath.However, I don't have a clear idea of how such configuration should be accomplished. If the configuration is read from the project repo itself, it would defeat the purpose, since an attacker could just set it to unsafe mode as part of the untrusted repository.