completed
EffortlessMetrics/perl-lsp
Verified maintainerRust Perl Language Server (LSP) + parser toolkit (tree-sitter + pure Rust).
https://github.com/EffortlessMetrics/perl-lsp10
Stars
5
Forks
662
Issues
Rust
Language
Apache-2.0
License
May 13, 2026
Last push
-
LOC
-
Files
perl-lsp is a public-alpha Rust workspace for Perl 5 editor tooling: native parser/lexer, workspace indexing, LSP server, VS Code extension, managed binary install path, and DAP/debug support. Please focus on security-impacting findings with concrete repro steps. Highest-value areas: 1. LSP/DAP trust boundaries: JSON-RPC over stdio by default, optional unauthenticated localhost socket mode, malformed Content-Length frames, oversized/deep JSON, request validation, and resource-limit enforcement. 2. Workspace path safety: file:// URI handling, canonicalization, symlinks, ../ traversal, null/control characters, multi-root workspaces, cache/state persistence, and any way an untrusted workspace or client can read/write/execute outside intended roots. 3. Process execution: executeCommand, perl.runFile / perl.runTests / perl.runTestSub, yath/prove/perl fallback behavior, perlcritic/perltidy compatibility paths, DAP launch/attach/evaluate, args/env handling, PATH poisoning, workspace configuration trust, and shell/quoting boundaries. 4. DAP/network exposure: native launch/attach, TCP debugger attach, legacy bridge mode, hostile local clients, and whether exposing a port can become file disclosure or unintended command execution. 5. VS Code and release/install path: managed binary download, update selection, custom/internal downloadBaseUrl, checksum verification, archive extraction, binary activation, GitHub Actions, release artifacts, SBOM/provenance, VS Marketplace/Open VSX packaging, and crate publishing. 6. Parser/indexer resilience: hostile Perl files, huge files, unusual encodings, Unicode/path edge cases, parser hangs, panics, or memory/CPU DoS despite configured limits. Lower priority unless there is a real security boundary: - Vendored/generated C under tree-sitter-perl-c/c-src. This crate is primarily a compatibility/reference C FFI binding and benchmark baseline against the native Rust parser. Findings are useful if they affect packaged crate safety, FFI exposure, build.rs behavior, provenance, or user-facing parsing APIs; otherwise please do not spend most of the pass there. - Benchmark-only binaries and publish=false crates such as perl-parser-bench, unless the issue is shared with production crates. - Archived, legacy, docs, and test harness code, unless it is shipped, invoked by release workflows, or reachable from normal install/editor/debug flows. Please avoid style, lint, formatting, naming, and general complexity comments unless they create or materially hide a plausible vulnerability. Good findings should include affected files, threat model, severity, exploitability, and a minimal repro. Thank you!
Steven Zimmerman, CPA
perl-lsp is a public-alpha Rust workspace for Perl 5 editor tooling: native parser/lexer, workspace indexing, LSP server, VS Code extension, managed binary install path, and DAP/debug support. Please focus on security-impacting findings with concrete repro steps. Highest-value areas: 1. LSP/DAP trust boundaries: JSON-RPC over stdio by default, optional unauthenticated localhost socket mode, malformed Content-Length frames, oversized/deep JSON, request validation, and resource-limit enforcement. 2. Workspace path safety: file:// URI handling, canonicalization, symlinks, ../ traversal, null/control characters, multi-root workspaces, cache/state persistence, and any way an untrusted workspace or client can read/write/execute outside intended roots. 3. Process execution: executeCommand, perl.runFile / perl.runTests / perl.runTestSub, yath/prove/perl fallback behavior, perlcritic/perltidy compatibility paths, DAP launch/attach/evaluate, args/env handling, PATH poisoning, workspace configuration trust, and shell/quoting boundaries. 4. DAP/network exposure: native launch/attach, TCP debugger attach, legacy bridge mode, hostile local clients, and whether exposing a port can become file disclosure or unintended command execution. 5. VS Code and release/install path: managed binary download, update selection, custom/internal downloadBaseUrl, checksum verification, archive extraction, binary activation, GitHub Actions, release artifacts, SBOM/provenance, VS Marketplace/Open VSX packaging, and crate publishing. 6. Parser/indexer resilience: hostile Perl files, huge files, unusual encodings, Unicode/path edge cases, parser hangs, panics, or memory/CPU DoS despite configured limits. Lower priority unless there is a real security boundary: - Vendored/generated C under tree-sitter-perl-c/c-src. This crate is primarily a compatibility/reference C FFI binding and benchmark baseline against the native Rust parser. Findings are useful if they affect packaged crate safety, FFI exposure, build.rs behavior, provenance, or user-facing parsing APIs; otherwise please do not spend most of the pass there. - Benchmark-only binaries and publish=false crates such as perl-parser-bench, unless the issue is shared with production crates. - Archived, legacy, docs, and test harness code, unless it is shipped, invoked by release workflows, or reachable from normal install/editor/debug flows. Please avoid style, lint, formatting, naming, and general complexity comments unless they create or materially hide a plausible vulnerability. Good findings should include affected files, threat model, severity, exploitability, and a minimal repro. Thank you!
60
Total findings
0
CRITICAL
22
HIGH
30
MEDIUM
2
HIGH_BUG
6
BUG
The full report is private to the requester and donor. Public pages only show safe summary metadata.