diff --git a/src/cargo/util/config/mod.rs b/src/cargo/util/config/mod.rs index 15414ece9af..2f8659a279b 100644 --- a/src/cargo/util/config/mod.rs +++ b/src/cargo/util/config/mod.rs @@ -1244,10 +1244,28 @@ impl Config { ); } - let toml_v = toml::from_document(doc).with_context(|| { + let toml_v: toml::Value = toml::from_document(doc).with_context(|| { format!("failed to parse value from --config argument `{arg}`") })?; + if toml_v + .get("registry") + .and_then(|v| v.as_table()) + .and_then(|t| t.get("token")) + .is_some() + { + bail!("registry.token cannot be set through --config for security reasons"); + } else if let Some((k, _)) = toml_v + .get("registries") + .and_then(|v| v.as_table()) + .and_then(|t| t.iter().find(|(_, v)| v.get("token").is_some())) + { + bail!( + "registries.{}.token cannot be set through --config for security reasons", + k + ); + } + CV::from_toml(Definition::Cli, toml_v) .with_context(|| format!("failed to convert --config argument `{arg}`"))? }; diff --git a/tests/testsuite/config_cli.rs b/tests/testsuite/config_cli.rs index db4c8600fc6..dd08e13d103 100644 --- a/tests/testsuite/config_cli.rs +++ b/tests/testsuite/config_cli.rs @@ -368,6 +368,24 @@ b=2` was not a TOML dotted key expression (such as `build.jobs = 2`)", ); } +#[cargo_test] +fn no_disallowed_values() { + let config = ConfigBuilder::new() + .config_arg("registry.token=\"hello\"") + .build_err(); + assert_error( + config.unwrap_err(), + "registry.token cannot be set through --config for security reasons", + ); + let config = ConfigBuilder::new() + .config_arg("registries.crates-io.token=\"hello\"") + .build_err(); + assert_error( + config.unwrap_err(), + "registries.crates-io.token cannot be set through --config for security reasons", + ); +} + #[cargo_test] fn no_inline_table_value() { // Disallow inline tables