Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement prebuilt macros allowlists #1769

Open
mkaput opened this issue Nov 25, 2024 · 0 comments
Open

Implement prebuilt macros allowlists #1769

mkaput opened this issue Nov 25, 2024 · 0 comments
Assignees

Comments

@mkaput
Copy link
Member

mkaput commented Nov 25, 2024

Summary

Due to security concerns (binary builds are a great hacking vector), loading AOT compiled binaries should be off-by-default.
As a configuration mechanism, employ a whitelisting mechanism that users can put in Scarb.toml:

[package]
name = "hello"
version = "1.0.0"

[dependencies]
some_macro = "0.1"

[tool.scarb]
allow-prebuilt-macros = [
    "some_macro"
]

Matching will happen on PackageName. Matching applies to the entire dependency subtree, that is, if package x is using macro y as its dependency, a whitelist entry x will allow package y. This means that a single whitelist item will enable all instances of a given macro, regardless of version/source differences. The transitive nature of the list also makes preserving some context within Scarb.toml file.

Example: usage by Starknet Foundry

Change snforge init template to emit a following Scarb.toml file for new projects:

[package]
name = "hello"
version = "0.1.0"
edition = "2023_11"

# ...

[dev-dependencies]
snforge_std = { git = "https://github.com/foundry-rs/starknet-foundry", tag = "v0.32.0" }
assert_macros = "2.8.4"

# ...

[tool.scarb]
allow-prebuilt-macros = [
    "snforge_std"
]

# ...

Note

No such task was created in Foundry repo.

@mkaput mkaput added this to the Proc Macro AOT Compilation milestone Nov 25, 2024
@github-project-automation github-project-automation bot moved this to Triage in Scarb Nov 25, 2024
@maciektr maciektr moved this from Triage to Todo in Scarb Nov 26, 2024
@maciektr maciektr self-assigned this Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Todo
Development

No branches or pull requests

2 participants