Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build script allowlist mode #13681

Open
opeik opened this issue Apr 1, 2024 · 3 comments
Open

Build script allowlist mode #13681

opeik opened this issue Apr 1, 2024 · 3 comments
Labels
A-build-scripts Area: build.rs scripts A-diagnostics Area: Error and warning messages generated by Cargo itself. A-security Area: security C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

Comments

@opeik
Copy link

opeik commented Apr 1, 2024
edited
Loading

Problem

Build scripts are pragmatic but increase the surface area for supply chain attacks since they can execute arbitrary code. Most crates (at least in my experience) don't include build scripts. I propose a Cargo feature that disables build scripts if you're paranoid or working with tighter security requirements.

Proposed Solution

A build script allowlist mode (configured via Cargo.toml and friends) that prevents build scripts from executing when enabled. If a crate contains a build script and this option is enabled, the build script isn't executed, and compilation fails. The user can then audit the listed crates containing build scripts. If all is well, the user adds the audited crates to an allowlist, allowing build script execution for the specified crates.

Notes

A build script allowlist mode would be supplemented, but not replaced, by the ongoing sandboxing efforts. I'd argue it's substantially easier to implement, too. It may also discourage unnecessarily using build scripts, which is a win.

Relevant discussion:
@opeik opeik added C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-triage Status: This issue is waiting on initial triage. labels Apr 1, 2024
@epage epage added the A-build-scripts Area: build.rs scripts label Apr 2, 2024
@epage
Copy link
Contributor

epage commented Apr 2, 2024

This seems incomplete as this wouldn't cover proc macros.

I also wonder if its worth discussing all potential controls within #5720

@heisen-li
Copy link
Contributor

I know the maintainers are wary of adding warnings and such, but perhaps a hint during cargo check or elsewhere could be [security tip] : a custom build script exists for the crate you are relying on.

As a temporary solution before implementing the RFC.

@epage
Copy link
Contributor

epage commented Apr 3, 2024

Cargo's output is pretty noisy as is and providing an always-on unactionable message would likely not move forward.

With #12235, we'll be able to have more linting and would love to integrate a lot of cargo deny behavior. The main question is where these kind of lints should live, see https://blog.rust-lang.org/inside-rust/2024/03/26/this-development-cycle-in-cargo-1.78.html#linter-for-cargo

@weihanglo weihanglo added S-needs-info Status: Needs more info, such as a reproduction or more background for a feature request. A-security Area: security S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted. and removed S-triage Status: This issue is waiting on initial triage. S-needs-info Status: Needs more info, such as a reproduction or more background for a feature request. labels Apr 10, 2024
@epage epage added the A-diagnostics Area: Error and warning messages generated by Cargo itself. label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-build-scripts Area: build.rs scripts A-diagnostics Area: Error and warning messages generated by Cargo itself. A-security Area: security C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@epage @opeik @weihanglo @heisen-li