Construction and projection capabilities are not checked #14
Labels
error
Something is confusing, misbehaving, or harmful.
s:2 critical
This has the potential of causing a lot of harm; timely mitigation is essential.
Milestone
Crochet's entire set of security guarantees rely on being able to control which packages have access to which types, as well as what they can do with these types. Types represent capabilities. But there are some more fine-grained capabilities in a type: using a type has different security implications from constructing a type or projecting fields from a type. That's why Crochet defines these as distinct capabilities.
Capabilities are handled at a "package" level. So packages define a trust boundary. In the specified semantics, constructing and projecting capabilities are granted to the defining package. Meaning that if package A defines a type T, then only package A is able to use
new T
orTValue.field
. This is currently unchecked, which leads to these expressions succeeding outside of A as well.The text was updated successfully, but these errors were encountered: