无论是跑cargo build还是跑cargo run,请务必在沙盒环境里面跑
因为你永远也不知道build.rs会对你的电脑做什么奇奇怪怪的事情
曾经有一个说法是,gcc可以有一个后门,这个后门的内容是,当发现自己在编译gcc的时候,将后门复制到新生成的二进制文件中
这种诡异的操作……如果你写了一个rust core team需要依赖的包,借此投个毒,似乎并不特别困难。
这个crate只对linux系统+用rustup安装的rustc生效,windows可能会投毒失败,包管理器安装的rustc对普通用户不可写,因此这个crate也不会成功
但想想,这个crate可以改rustc……就有些毛骨悚然
有什么build.rs不能做的呢?
(比如,读取你crates.io里面的token?)
附security@rust-lang.org的回信原文:
Hello, and thanks for reaching out.
In general, this Security Response group exists to coordinate new security issues in private, in order to avoid exploitation before things can be fixed. When an issue is already publicly known, it's better to just engage with the appropriate teams directly, in open source fashion.
This issue of build-time execution is very well known, and long standing, so it does not need private coordination. Here are a few samples of public discussion:
Feb 2016: Sandbox build.rs and plugins https://github.com/rust-lang/rfcs/issues/1515
Jul 2018: Sandbox/jail build scripts https://github.com/rust-lang/cargo/issues/5720
Dec 2021: Build-time execution sandboxing https://github.com/rust-lang/compiler-team/issues/475
Today: Sandbox build.rs and proc macros https://internals.rust-lang.org/t/sandbox-build-rs-and-proc-macros/16345
So you can see that people do already know about this, and want to see a solution like sandboxing, but it is not a trivial thing. You are welcome to participate in that solution!
I fear that your hotfix suggestion of an alert would just become a nuisance that people learn to step around or disable, to little effect. It's not just build scripts that need to be considered either, but also procedural macros, and all build-dependencies that may be included in either case.
I would also like to point out that this issue is not new to NPM or Cargo. Even back to the oldest "./configure; make" kind of projects, there has been a possibility of those build "scripts" doing something improper.
I hope you understand, and again I invite you to get involved if you are able!
Thanks Josh Stone Rust Security Response WG
评论区
写评论考虑一个问题:
你的依赖项的依赖项的依赖项……简单地用源码投了毒
外网对沙盒的评价一直是“我们很需要,但沙盒很复杂”
我只在你这里接受到了这个众所周知的漏洞的负面评价
👇
seth-hg: 有点过了。只要权限足够,执行任何程序都可以修改rustc,都可以投毒,不限于cargo或者其他构建系统。这也不是什么秘密。
build.rs的问题在于它可以调用任意api,执行任何操作不受操作系统以外的限制。但是build.rs是以源码形式分发,在构建的时候执行,所以做任何可疑的操作都很容易被发现,危险性比一些二进制形式分发的程序要小多了。
前面说的神秘兮兮,我还以为rust team故意留了漏洞,并且正在利用漏洞做什么勾当呢。
有点过了。只要权限足够,执行任何程序都可以修改rustc,都可以投毒,不限于cargo或者其他构建系统。这也不是什么秘密。
build.rs的问题在于它可以调用任意api,执行任何操作不受操作系统以外的限制。但是build.rs是以源码形式分发,在构建的时候执行,所以做任何可疑的操作都很容易被发现,危险性比一些二进制形式分发的程序要小多了。
前面说的神秘兮兮,我还以为rust team故意留了漏洞,并且正在利用漏洞做什么勾当呢。
写了个用于自动审计仓库中
build.rs
的东西: https://github.com/chuigda/Kits/blob/master/build-rs-audit.rsmark
所以是什么事情呢.这云里雾里绕的,话都要说不明白了吗
ddos?
mark。。。好家伙,别步了node-ipc的后尘啊
mark
希望别是谎报军情
Mark
What, fuck.
mark
mark
算了,是漏洞的话没必要提前透露,省的有心人利用。我暂时在虚拟机上跑项目吧
--
👇
5waker: 方便简要说明下么,我最近正在写个人项目,不用cargo很难受
方便简要说明下么,我最近正在写个人项目,不用cargo很难受
具体是什么情况,可以详细说明下吗?