Commits on Sep 27, 2022

1. CVE-2022-36114: increase the maximum unpacked size of a crate to 1GiB …

   A common use-case of private registries is to host projects that
   may require slightly higher limits than what is a good fit for the
   public crates.io registry, such as crates with vendored binary
   dependencies, or other larger crates that may not fit on crates.io.
   
   When supporting many targets (architecture/OS combinations),
   the size of a crate on a private registry with vendored dependencies
   is proportional in the number of targets, so as support for more
   targets is added, a crate can reasonably exceed 512MiB.
   
   The limit to pick is somewhat arbitrary, but in the context of
   CVE-2022-36114 we should be considerate of users with lower-end or
   older hardware, who may be the most vulnerable to zip-bombs.
   
   As a comparison point, on my system building a hello world
   with `reqwest` that GETs example.org and prints the reply
   consumes 538M under the target/ folder.
   Projects beyond hello worlds that include crates from private
   registries would usually require on the order of 1-10 GiBs free disk
   space for the target folder.
   
   It seems resonable to pick a threshold for treating a Rust crate
   in an external registry as a zip bomb up to be in the same order of
   magnitude (or just above) disk usage numbers that a regular user
   could be expected to encounter in normal, non-malicious scenarios.
   
   This commit only bumps the limit to 1GiB based on need,
   but it may not be entirely unreasonable in the future to consider even
   slightly higher thresholds to not be zip-bombs,
   on a "pro re nata" (as needed) basis.

   

   tux3 committed Sep 27, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 39f49c1
   • Browse repository at this point

   Copy the full SHA

   39f49c1 View commit details

   Browse the repository at this point in the history