You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cargo and cargo-edit aren't technically vulnerable to the dependency confusion attack the way other registries are, but there is a possibility of a human error if user adds a dependency and forgets to specify they've meant to add it from an alternative registry. Because dependencies can run code in build.rs, a planted dependency could exploit the confusion even if it couldn't build properly.
The scenario is:
Attacker figures out that a company uses company-internal-utils crate from their private registry
Attacker publishes malicious company-internal-utils on crates.io
Someone at the company eventually makes a mistake and runs cargo add company-internal-utils instead of cargo add company-internal-utils --registry=internal
I propose to mitigate this risk by detecting when the same name is in both crates.io and any alternative registry that Cargo knows about, and treating such dependencies as ambiguous if they're added without an explicit --registry arg.
cargo add company-internal-utils
error: `company-internal-utils` exists in both "internal" and "crates.io" registries.
Please specify which registry should be used:
cargo add company-internal-utils --registry=internal
or
cargo add company-internal-utils --registry=crates.io
Cargo and cargo-edit aren't technically vulnerable to the dependency confusion attack the way other registries are, but there is a possibility of a human error if user adds a dependency and forgets to specify they've meant to add it from an alternative registry. Because dependencies can run code in
build.rs
, a planted dependency could exploit the confusion even if it couldn't build properly.The scenario is:
company-internal-utils
crate from their private registrycompany-internal-utils
on crates.iocargo add company-internal-utils
instead ofcargo add company-internal-utils --registry=internal
I propose to mitigate this risk by detecting when the same name is in both crates.io and any alternative registry that Cargo knows about, and treating such dependencies as ambiguous if they're added without an explicit
--registry
arg.(same issue for Cargo)
The text was updated successfully, but these errors were encountered: