Support untrusted workspaces in VSCode

[lf-]

We could potentially disable proc macros if not given trust, for example.

See microsoft/vscode#120251 for API details.

(from https://twitter.com/ekuber/status/1403499878836322311)

[jonas-schievink]

So, I think in order to implement this right (when you actually, for real, don't trust the workspace you're opening), we need to avoid invoking any part of the Rust toolchain, since everything can be overridden by the workspace to run arbitrary code.

That means that there are quite a few places that need to be stubbed out (eg. we load target-specific --cfg flags by invoking rustc, fetch the workspace by invoking cargo, run build scripts by invoking cargo again, and then load and run proc macros). Additionally, it seems quite easy to accidentally regress this, so we should probably have some kind of safe-guard (perhaps by clearing PATH? Windows might still search the working dir though).

One problem with doing this is that r-a becomes pretty much useless if we can't fetch the crate graph, so currently I don't really see the benefit of this over just keeping the whole extension disabled in an untrusted workspace (which I think is the default). You could use rust-project.json, but that's not really feasible to obtain without calling cargo.

[matklad]

You could use rust-project.json,

even there I think we call rustc —cfg by default.

[lf-]

This sounds like it's possibly turning into a feature request for rustup to set a boundary under which all toolchain configs are ignored. Or perhaps to turn off the rust-toolchain file config entirely if requested.

[jonas-schievink]

Filed rust-lang/rustup#2793

[Veykril]

Additional info for this is here https://code.visualstudio.com/api/extension-guides/workspace-trust