better-macro has deliberate RCE in proc-macro (#966)

jsgf · web-flow · commit 8af7718d8fd3 · 2021-07-26T13:39:47.000-07:00
It's "Proving A Point" in https://github.com/raycar5/better-macro/blob/master/doc/hi.md but there's no guarantee that this will remain benign (or is actually benign right now). The crate also has no useful functionality.
diff --git a/crates/better-macro/RUSTSEC-0000-0000.md b/crates/better-macro/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "better-macro"
+date = "2021-07-22"
+url = "https://github.com/raycar5/better-macro/blob/24ff1702397b9c19bbfa4c660e2316cd77d3b900/src/lib.rs#L36-L38"
+categories = ["code-execution"]
+keywords = ["rce", "proc-macro"]
+
+[affected]
+functions = { "better_macro::println" = ["> 1.0.0"] }
+
+[versions]
+patched = []
+```
+
+# `better-macro` has deliberate RCE to prove a point
+
+[better-macro](https://crates.io/crates/better-macro) is a fake crate which is
+"Proving A Point" that proc-macros can run arbitrary code. This a particularly
+novel or interesting observation.
+
+It currently opens `https://github.com/raycar5/better-macro/blob/master/doc/hi.md`
+which doesn't appear to have any malicious content, but there's no guarantee that
+will remain the case.
+
+This crate has no useful functionality, and should not be used.
