-
Notifications
You must be signed in to change notification settings - Fork 2.9k
Build script allowlist mode #13681
Copy link
Copy link
Open
Labels
A-build-scriptsArea: build.rs scriptsArea: build.rs scriptsA-new-lintArea: new lintArea: new lintA-securityArea: securityArea: securityC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Description
Metadata
Metadata
Assignees
Labels
A-build-scriptsArea: build.rs scriptsArea: build.rs scriptsA-new-lintArea: new lintArea: new lintA-securityArea: securityArea: securityC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Type
Fields
Give feedbackNo fields configured for issues without a type.
Problem
Build scripts are pragmatic but increase the surface area for supply chain attacks since they can execute arbitrary code. Most crates (at least in my experience) don't include build scripts. I propose a Cargo feature that disables build scripts if you're paranoid or working with tighter security requirements.
Proposed Solution
A build script allowlist mode (configured via
Cargo.tomland friends) that prevents build scripts from executing when enabled. If a crate contains a build script and this option is enabled, the build script isn't executed, and compilation fails. The user can then audit the listed crates containing build scripts. If all is well, the user adds the audited crates to an allowlist, allowing build script execution for the specified crates.Notes
A build script allowlist mode would be supplemented, but not replaced, by the ongoing sandboxing efforts. It may also discourage unnecessarily using build scripts, which is a win.
Relevant discussion: