Cargo nightly squatting?
This week I ran the following command:
% cargo +nightly fmt error: toolchain 'nightly-aarch64-apple-darwin' is not installed
Oh, that makes sense. Let’s fix it.
% cargo install nightly Updating crates.io index error: could not find `nightly` in registry `crates-io` with version `*`
I blink a few times. Ah yes, I see it is another day where a typo has invited a stranger to execute arbitrary code on my machine. But I got away with it this time.
For the benefit of those not so involved with Rust: I was supposed to run the tool
rustup in the second command.
rustup install nightly is a request to download and install the official “nightly” Rust toolchain. What I actually ran asked
cargo to download a package called
nightly from crates.io, and compile and install it as a binary on my path. Due to
build.rs build scripts in particular, the process of compiling a Rust project permits arbitrary code execution. Therefore if there was a package on crates.io called
nightly whose malicious intent had not yet been identified, at this moment anything could have happened to my machine: SSH keys stolen, files deleted, corporate espionage, all that good stuff.
Happily, there is no such crate.
Why not, I wonder? Has crates.io put a block on submitting a crate called
nightly? Or is it simply that nobody has thought of doing this yet?
It’s not just
rustup where you can get into trouble either. A while back I tried to install
ripgrep, a popular grep-alike which uses the binary name
rg. Without double-checking I ran
cargo install rg.
Nowadays this safety crate is published by burntsushi, the author of ripgrep; at the time it was just some friendly GitHub user I didn’t recognise who did it out of the kindness of their own heart. It didn’t do anything except print a message that I’d installed the wrong crate, but it was an eyebrow-raising moment.
So what do I do here? Should I attempt to upload a benign
nightly crate whose build script emits a warning “Hello; I am a friendly hacker. You meant to run
rustup.”? If crates.io permitted me to do so it could be a bit of fun.
I don’t think I will though. It just feels like whack-a-mole. (If one of you dear readers tries, drop me an email—I’m curious to know how you get on.) I need to contemplate carefully how I operate my tools if I’m just one small lapse away from a self-pwn. Perhaps I need to train myself to treat
rustup with the same caution as