@cindex trusted files and directories

Loading a file of Emacs Lisp code with @code{load-file} or

@code{load-library} (@pxref{Lisp Libraries}) can execute some of the

Lisp code in the file being loaded, so you should only load Lisp files

whose source you trust.  However, some Emacs features can in certain

situations execute Lisp code even without your explicit command or

request.  For example, Flymake, the on-the-fly syntax checker for Emacs

(@pxref{Top,,, flymake, GNU Flymake}), if it is enabled, can

automatically execute some of the code in a Lisp file you visit as part

of its syntax-checking job.  Similarly, some completion commands

(@pxref{Completion}) in buffers visiting Lisp files sometimes need to

expand Lisp macros for best results.  In these cases, just visiting a

Lisp file and performing some editing in it could trigger execution of

Lisp code.  If the visited file came from an untrusted source, it could

include dangerous or even malicious code that Emacs would execute in

those situations.

To protect against this, Emacs disables execution of Lisp code by

Flymake, completion, and some other features, unless the visited file is

@dfn{trusted}.  It is up to you to specify which files on your system

should be trusted, by customizing the user option

@code{trusted-content}.

@defopt trusted-content

The value of this option is @code{nil} by default, which means no file

is trusted.  You can customize the variable to be a list of one or more

names of trusted files and directories.  A file name that ends in a

slash @file{/} is interpreted as a directory, which means all its files

and subdirectories are also trusted.  A special value @code{:all} means

@emph{all} the files and directories on your system should be trusted;

@strong{this is not recommended}, as it opens a gaping security hole.

@end defopt

(defcustom trusted-content nil

  "List of files and directories whose content we trust.

Be extra careful here since trusting means that Emacs might execute the

code contained within those files and directories without an explicit

request by the user.

One important case when this might happen is when `flymake-mode' is

enabled (for example, when it is added to a mode hook).

Each element of the list should be a string:

- If it ends in \"/\", it is considered as a directory name and means that

  Emacs should trust all the files whose name has this directory as a prefix.

- Otherwise, it is considered a file name.

Use abbreviated file names.  For example, an entry \"~/mycode/\" means

that Emacs will trust all the files in your directory \"mycode\".

This variable can also be set to `:all', in which case Emacs will trust

all files, which opens a gaping security hole.  Emacs Lisp authors

should note that this value must never be set by a major or minor mode."

  :type '(choice (repeat :tag "List" file)

                 (const :tag "Trust everything (DANGEROUS!)" :all))

  :version "30.1")

(put 'trusted-content 'risky-local-variable t)

(defun trusted-content-p ()

  "Return non-nil if we trust the contents of the current buffer.

Here, \"trust\" means that we are willing to run code found inside of it.

See also `trusted-content'."

  ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'

  ;; to try and avoid marking as trusted a file that's merely accessed

  ;; via a symlink that happens to be inside a trusted dir.

  (and (not untrusted-content)

       (or

        (eq trusted-content :all)

        (and

         buffer-file-truename

         (with-demoted-errors "trusted-content-p: %S"

           (let ((exists (file-exists-p buffer-file-truename)))

             (or

              ;; We can't avoid trusting the user's init file.

              (if (and exists user-init-file)

                  (file-equal-p buffer-file-truename user-init-file)

                (equal buffer-file-truename user-init-file))

              (let ((file (abbreviate-file-name buffer-file-truename))

                    (trusted nil))

                (dolist (tf trusted-content)

                  (when (or (if exists (file-equal-p tf file) (equal tf file))

                            ;; We don't use `file-in-directory-p' here, because

                            ;; we want to err on the conservative side: "guilty

                            ;; until proven innocent".

                            (and (string-suffix-p "/" tf)

                                 (string-prefix-p tf file)))

                    (setq trusted t)))

                trusted))))))))

(defvar elisp--local-macroenv

  `((cl-eval-when . ,(lambda (&rest args) `(progn . ,(cdr args))))

    (eval-when-compile . ,(lambda (&rest args) `(progn . ,args)))

    (eval-and-compile . ,(lambda (&rest args) `(progn . ,args))))

  "Environment to use while tentatively expanding macros.

This is used to try and avoid the most egregious problems linked to the

use of `macroexpand-all' as a way to find the \"underlying raw code\".")

(defvar elisp--macroexpand-untrusted-warning t)

(defun elisp--safe-macroexpand-all (sexp)

  (if (not (trusted-content-p))

      ;; FIXME: We should try and do better here, either using a notion

      ;; of "safe" macros, or with `bwrap', or ...

      (progn

        (when elisp--macroexpand-untrusted-warning

          (setq-local elisp--macroexpand-untrusted-warning nil) ;Don't spam!

          (let ((inhibit-message t))      ;Only log.

            (message "Completion of local vars is disabled in %s (untrusted content)"

                     (buffer-name))))

        sexp)

    (let ((macroexpand-advice

           (lambda (expander form &rest args)

             (condition-case err

                 (apply expander form args)

               (error

                (message "Ignoring macroexpansion error: %S" err) form)))))

      (unwind-protect

          ;; Silence any macro expansion errors when

          ;; attempting completion at point (bug#58148).

          (let ((inhibit-message t)

                (macroexp-inhibit-compiler-macros t)

                (warning-minimum-log-level :emergency))

            (advice-add 'macroexpand-1 :around macroexpand-advice)

            (macroexpand-all sexp elisp--local-macroenv))

        (advice-remove 'macroexpand-1 macroexpand-advice)))))

  (unless (trusted-content-p)

    ;; FIXME: Use `bwrap' and friends to compile untrusted content.

    ;; FIXME: We emit a message *and* signal an error, because by default

    ;; Flymake doesn't display the warning it puts into "*flmake log*".

    (message "Disabling elisp-flymake-byte-compile in %s (untrusted content)"

             (buffer-name))

    (user-error "Disabling elisp-flymake-byte-compile in %s (untrusted content)"

                (buffer-name)))

        (setq-local trusted-content :all)