Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mitigation for dependency confusion attack caused by lack of --registry arg #451

Closed
kornelski opened this issue Feb 10, 2021 · 1 comment

Comments

@kornelski
Copy link

kornelski commented Feb 10, 2021

Cargo and cargo-edit aren't technically vulnerable to the dependency confusion attack the way other registries are, but there is a possibility of a human error if user adds a dependency and forgets to specify they've meant to add it from an alternative registry. Because dependencies can run code in build.rs, a planted dependency could exploit the confusion even if it couldn't build properly.

The scenario is:

  1. Attacker figures out that a company uses company-internal-utils crate from their private registry
  2. Attacker publishes malicious company-internal-utils on crates.io
  3. Someone at the company eventually makes a mistake and runs cargo add company-internal-utils instead of cargo add company-internal-utils --registry=internal

I propose to mitigate this risk by detecting when the same name is in both crates.io and any alternative registry that Cargo knows about, and treating such dependencies as ambiguous if they're added without an explicit --registry arg.

cargo add company-internal-utils
error: `company-internal-utils` exists in both "internal" and "crates.io" registries. 
Please specify which registry should be used:

cargo add company-internal-utils --registry=internal
or
cargo add company-internal-utils --registry=crates.io

(same issue for Cargo)

@epage
Copy link
Collaborator

epage commented May 11, 2022

Moved to rust-lang/cargo#10656

@epage epage closed this as completed May 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants