[GHC] #10826: [Security] Safe Haskell can be bypassed via annotations

GHC ghc-devs at haskell.org
Wed Sep 2 02:22:30 UTC 2015 

#10826: [Security] Safe Haskell can be bypassed via annotations
-------------------------------------+-------------------------------------
        Reporter:  spinda            |                   Owner:
            Type:  bug               |                  Status:  new
        Priority:  normal            |               Milestone:
       Component:  Compiler          |                 Version:  7.10.2
      Resolution:                    |                Keywords:
Operating System:  Unknown/Multiple  |            Architecture:
 Type of failure:  GHC accepts       |  Unknown/Multiple
  invalid program                    |               Test Case:
      Blocked By:                    |                Blocking:
 Related Tickets:                    |  Differential Revisions:
-------------------------------------+-------------------------------------
Description changed by spinda:

Old description:

> {{{
> module Test (hook) where
>
> import System.Process
> import System.IO.Unsafe
>
> {-# ANN hook (unsafePerformIO (putStrLn "Woops.")) #-}
> hook = undefined
> }}}
>
> {{{
> ➜  Test ghc -fpackage-trust -XSafe Test_simple.hs
> [1 of 1] Compiling Test_simple      ( Test_simple.hs, Test_simple.o )
> [flags changed]
> Woops.
>
> Test_simple.hs:4:1:
>     System.IO.Unsafe: Can't be safely imported!
>     The module itself isn't safe.
> }}}
>
> GHC ultimately rejects the program due to the {{{System.IO.Unsafe}}}
> import, but this check doesn't occur until GHC has compiled and run the
> annotation expression, allowing arbitrary IO operations via
> {{{unsafePerformIO}}}.
>
> The solution is probably to move the import check from the end of
> renaming/typechecking to the start.

New description:

 {{{
 module Test (hook) where

 import System.IO.Unsafe

 {-# ANN hook (unsafePerformIO (putStrLn "Woops.")) #-}
 hook = undefined
 }}}

 {{{
 ➜  Test ghc -fpackage-trust -XSafe Test_simple.hs
 [1 of 1] Compiling Test_simple      ( Test_simple.hs, Test_simple.o )
 [flags changed]
 Woops.

 Test_simple.hs:4:1:
     System.IO.Unsafe: Can't be safely imported!
     The module itself isn't safe.
 }}}

 GHC ultimately rejects the program due to the {{{System.IO.Unsafe}}}
 import, but this check doesn't occur until GHC has compiled and run the
 annotation expression, allowing arbitrary IO operations via
 {{{unsafePerformIO}}}.

 The solution is probably to move the import check from the end of
 renaming/typechecking to the start.

--

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/10826#comment:1>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

More information about the ghc-tickets mailing list