GithubHelp home page GithubHelp logo

Comments (4)

thomcc avatar thomcc commented on August 22, 2024 1

We also need to forbid:

  • Unsafe attributes like no_mangle, link, link_section, etc (need to look to see if this is a complete list of stable ones). These are unsafe, but do not require the unsafe keyword (although this may change).
  • Any extern blocks, as they allow confusing LLVM about the actual signature of functions, and grant access to functions we would like users to not even have the address of. They may become unsafe extern in a future Rust edition, but I've only seen this suggested and not proposed.

from plrust.

workingjubilee avatar workingjubilee commented on August 22, 2024

One of the inescapable problems in PL/Rust is that even if all the dependencies are very carefully audited and then the function is fully sandboxed by whatever means, the bindings to PostgreSQL themselves must be sound in at least the memory-safe sense and also ideally the logical sense.

As if to answer the call of this issue, several soundness issues materialized in PGX:

I have almost finished redesigning the current "ArrayType handle" that PGX uses to fix some of these issues, starting with a subcomponent that offers much better checks on its soundness properties and more meticulously documented safety conditions. (It will also, amusingly, probably be much faster, not that such is a primary goal.) I hope to return to more... "surface" level concerns like this one very soon.

from plrust.

workingjubilee avatar workingjubilee commented on August 22, 2024

#95 brings up proc macros as a special concern. Yes, they are. It also will take care of both most concerns regarding PGX and some initial concerns regarding unsafe in user fn, by guaranteeing that any new pgx versions will not insert code with unqualified unsafe. It will not address dependencies or proc macros.

from plrust.

workingjubilee avatar workingjubilee commented on August 22, 2024

As of #128 we cover a lot of these cases for the main function crate using a significantly modified compilation flow that allows a lot of other shell games that should make auditing functions easier. I'm going to claim victory on this for now and move the remaining concerns to other issues, namely

from plrust.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.