nim#init executes nimscript on load

zargot commented 6 years ago

When opening a nimscript file (*.nims) into vim, all "exec" statements are executed. This makes editing nimscript files very impractical, and poses a huge security risk.

example.nims:

exec "touch a_wild_file_appears.txt"
exec "rm -r ~/my_important_projects"

This seems to occur in autoload/nim.vim:nim#init:

  let cmd = printf("nim --dump.format:json --verbosity:0 dump %s", s:CurrentNimFile())
  let raw_dumpdata = system(cmd)

My current workaround is to comment out the whole function call in ftplugin/nim.vim: "call nim#init()

Thanks for your time.

zah commented 6 years ago

This was reported as an upstream issue in Nim. Another mitigation we can apply here is to start treating nims files as a different language mode.

sealmove commented 4 years ago

Any progress on this?

somini commented 3 years ago

https://gitlab.com/somini/nim.nvim

I forked this and just removed all IDE functions. There's just:

Syntax highlighting
Indentation
Compiler

It's just a basic version of this.

zah / nim.vim

nim#init executes nimscript on load #87