Description
I'm writing a code review tool (cargo-crev). It's meant for reviewing untrusted 3rd party code. There's a risk that malicious code could use build-time code execution (build.rs or proc-macros) to launch an attack on the reviewer's machine and/or use it to hide the malicious code.
I've noticed that IDEs that integrate with rust-analyzer automatically build any Rust project they open (target dir appears), so just looking at a Rust crate executes untrusted code! I'm not entirely sure whether that's caused by rust-analyzer itself, or just cargo check that usually goes with it.
Is there a way to disable rust-analyzer for such project folder? Or tell it not to trust any code nor any of its dependencies?
There's a request for a single file #3660, but I'm looking for a crate-wide solution. I'd rather not modify source code, but I can inject/change config files.