Package demonstrating why
julia --project in a directory you don't trust can be dangerous, which is why Julia doesn't do
julia --project automatically, instead requiring you to explicitly add the flag, which constitutes a conscious indication that you trust the project you are in.
Try it out (if you dare!):
$ git clone https://github.com/StefanKarpinski/Nefarious.jl.git $ cd Nefarious.jl $ julia -q --project julia> using JSON Haha, gotcha!
The same attack could easily be expanded to all common package names by just replicating what has been done here for JSON.
If you start a
julia process in this directory with
--project you cannot safely load any packages.
If you have a
~/.julia/config/startup.jl file and it loads any packages, then just starting
julia --project in this directory could execute arbitrary code.