Add safety notes about docs fields in soroban-spec-rust (#1650)

leighmcculloch · web-flow · commit 500fa0706946 · 2025-12-17T20:55:58.000Z
### What
Add and update comments in soroban-spec-rust explaining why the "docs"
fields from spec entries are intentionally not output as rustdocs in
generated Rust code.

### Why
Rustdocs can contain Rust code that gets executed. Generated code may
come from untrusted WASMs with untrusted spec docs, creating a code
execution risk.

We already have a comment about this in one of the files, but I wanted
to put this important note at the top of all the files in this crate so
it's present to anybody who's reading any of them.
diff --git a/soroban-spec-rust/src/lib.rs b/soroban-spec-rust/src/lib.rs
@@ -14,6 +14,11 @@ use soroban_spec::read::{from_wasm, FromWasmError};
 
 use types::{generate_enum, generate_error_enum, generate_event, generate_struct, generate_union};
 
+// IMPORTANT: The "docs" fields of spec entries are not output in Rust token
+// streams as rustdocs, because rustdocs can contain Rust code, and that code
+// will be executed. Generated code may be generated from untrusted Wasm
+// containing untrusted spec docs.
+
 #[derive(thiserror::Error, Debug)]
 pub enum GenerateFromFileError {
     #[error("reading file: {0}")]
diff --git a/soroban-spec-rust/src/trait.rs b/soroban-spec-rust/src/trait.rs
@@ -5,6 +5,11 @@ use stellar_xdr::ScSpecFunctionV0;
 
 use super::types::generate_type_ident;
 
+// IMPORTANT: The "docs" fields of spec entries are not output in Rust token
+// streams as rustdocs, because rustdocs can contain Rust code, and that code
+// will be executed. Generated code may be generated from untrusted Wasm
+// containing untrusted spec docs.
+
 /// Constructs a token stream containing a single trait that has a function for
 /// every function spec.
 pub fn generate_trait(name: &str, specs: &[&ScSpecFunctionV0]) -> TokenStream {
diff --git a/soroban-spec-rust/src/types.rs b/soroban-spec-rust/src/types.rs
@@ -8,8 +8,9 @@ use stellar_xdr::{
 };
 
 // IMPORTANT: The "docs" fields of spec entries are not output in Rust token
-// streams as rustdocs, because rustdocs are evaluated and execute code by
-// default in Rust projects.
+// streams as rustdocs, because rustdocs can contain Rust code, and that code
+// will be executed. Generated code may be generated from untrusted Wasm
+// containing untrusted spec docs.
 
 // TODO: Replace the unwrap()s in this code with returning Result.
 // TODO: Create Idents in a way that we can get a Result back and return it too
