docs/book/src/security.md - third_party/github.com/rust-lang/rust-analyzer - Git at Google

 # Security

 At the moment, rust-analyzer assumes that all code is trusted. Here is a
 **non-exhaustive** list of ways to make rust-analyzer execute arbitrary
 code:

 -   proc macros and build scripts are executed by default

 -   `.cargo/config` can override `rustc` with an arbitrary executable

 -   `rust-toolchain.toml` can override `rustc` with an arbitrary
     executable

 -   VS Code plugin reads configuration from project directory, and that
     can be used to override paths to various executables, like `rustfmt`
     or `rust-analyzer` itself.

 -   rust-analyzer’s syntax trees library uses a lot of `unsafe` and
     hasn’t been properly audited for memory safety.
	# Security

	At the moment, rust-analyzer assumes that all code is trusted. Here is a
	non-exhaustive list of ways to make rust-analyzer execute arbitrary
	code:

	- proc macros and build scripts are executed by default

	- `.cargo/config` can override `rustc` with an arbitrary executable

	- `rust-toolchain.toml` can override `rustc` with an arbitrary
	executable

	- VS Code plugin reads configuration from project directory, and that
	can be used to override paths to various executables, like `rustfmt`
	or `rust-analyzer` itself.

	- rust-analyzer’s syntax trees library uses a lot of `unsafe` and
	hasn’t been properly audited for memory safety.