Neuter Cargo projects extracted from crate files

[kornelski]

Crates may execute arbitrary code at build time. Such code could attack reviewer's machine and manipulate crev.

The problem is that cargo-crev has an option to open a crate in editor, and fancy editors may automatically run cargo check or rust-analyzer on the untrusted code!

cargo-crev should do something to prevent that, e.g.

• rename Cargo.toml to Cargo-dont-get-pwned.toml
• delete .rust-toolchain file, or replace it with one that breaks Rust completely for the project
• rename .cargo dir, or replace it with config that sets target dir to /dev/null

[dpc]

Oh. Good idea.

[dpc]

@kornelski I'm looking at 836d46c and I wonder how do you make sure to generate a checksum of the original source code exactly, pre-sanitization.

[kornelski]

I don't. That is just the open command, separate from the review command. review generates the checksum by itself, from Cargo's source dir.

[kornelski]

but perhaps the activity check flag shouldn't be a flag, but the digest?

[dpc]

but perhaps the activity check flag shouldn't be a flag, but the digest?

I think it will make things slightly more complicated, and then the assumption is that the computer your reviewing on is trusted. Otherwise no amount of precautions can prevent signing off malicious code.

[dpc]

review generates the checksum by itself, from Cargo's source dir.

I have vague memory that there was some comparison being done between the dir that was used to review and a freshly downloaded one. Possibly for both: displaying unclean package directory notification and final review comparison. But I might be wrong/misremember. If that's the case maybe the sanitized version used for goto and open should be a copy of the pre-sanitized version.

Just raising this to your awareness. Please excuse me if I'm misremembering.

BTW. Awesome work you're doing with lib.rs and crev development.