Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help catch internal-crate squatting attacks when adding a dependency #10656

Open
epage opened this issue May 11, 2022 · 2 comments
Open

Help catch internal-crate squatting attacks when adding a dependency #10656

epage opened this issue May 11, 2022 · 2 comments
Labels
C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` Command-add S-triage Status: This issue is waiting on initial triage.

Comments

@epage
Copy link
Contributor

epage commented May 11, 2022

Problem

Say a company has an internal registry and with an internal crate company-utils. If an attacker knows this and creates a malicious crate in crates.io with that name, people will pick it up when running cargo add and forgetting the --registry flag

Proposed Solution

Warn the user when a new registry dependency is added without --registry and the dependency name exists in one of the configured registries.Se

Notes

See also killercup/cargo-edit#451

@epage epage added C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` Command-add labels May 11, 2022
@epage
Copy link
Contributor Author

epage commented May 11, 2022

For typo squatting, see #10655

@kornelski
Copy link
Contributor

Checking for dupes in alternative registries would tell them what crates.io crates users are adding, and such information disclosure may be undesirable. To mitigate this, I suggest using only the local registry caches to check if there is a crate with an overlapping name.

Users of private registries will usually already have their private crates' metadata cached from previous uses or via other private dependencies, so the check can be effective even if limited to only local cache. It's unfortunate it can't be 100% reliable, but I think some warning is better than none at all.

@epage epage added the S-triage Status: This issue is waiting on initial triage. label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` Command-add S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Development

No branches or pull requests

2 participants