A Security Vulnerability In Rust's Cargo Tool

A Security Vulnerability In Rust's Cargo Tool


The tools we use to develop software should be secure and it is crucial to ensure that. Recently, a security vulnerability was found that surfaced in Rust’s Cargo tool. If you’re not familiar, Cargo is an essential tool for managing Rust projects.

It handles tasks like building code and managing dependencies. However, a significant flaw was discovered in this tool. This vulnerability is tied to the way Cargo generates reports with the cargo build –timings command.

The Cargo build –timings Command

When you run this command, it creates a report that shows how long each step of the build process takes. This report also includes a list of features for each crate, which are basically options or capabilities that can be enabled or disabled in a package. This feature was introduced in Rust version 1.60.0.

The problem here is that Cargo didn’t properly escape these feature names when it included them in the report. Escaping, in this context, means converting characters that could be interpreted as code into a safe format that browsers treat as text.

This oversight means that a malicious package, included as a dependency, could inject almost any HTML into the report. Here’s a sample output of what part of the report looks like:


Why This Vulnerability is a Big Deal

Now, you might be wondering why this is a big deal. Well, if the report is uploaded to a website that uses credentials, this unescaped HTML can lead to a cross-site scripting (XSS) attack.

In simple terms, XSS allows an attacker to run malicious scripts in the web browser of anyone viewing the report. This could be used to steal information or perform actions on behalf of the user.

Who is Affected by this Vulnerability

So, how widespread is this issue? Before Rust 1.72, Cargo allowed feature names to contain nearly any characters. Although a warning about future incompatibility had been issued since Rust 1.49, the actual restriction wasn’t enforced. Even though crates.io, the official Rust package registry, has strict rules and doesn’t allow such characters, the problem persisted in the generated reports.

This means that if someone managed to upload a report to a domain that uses credentials, the injected JavaScript could access resources belonging to the website visitor. For instance, a malicious feature name like features=[“img src=’’ onerror=alert(0)”] could exploit this vulnerability.

Addressing this vulnerability in Rust 1.72

The good news is that this issue has been addressed in Rust 1.72. To fix this vulnerability, the validation of feature names has been made stricter. Now, any feature names that don’t meet the required standards will result in a hard error, effectively preventing such exploits. Users are strongly encouraged to update to the latest version of Rust to take advantage of this fix and keep their environments secure.

By understanding and addressing CVE-2023-40030, developers can better protect their Rust projects from potential security threats. Ensuring that their dependencies are safe and their build reports are secure is crucial in maintaining the integrity of their projects.

Armur: Enhancing Security For Developers

To improve the security and reliability of your code, there’s no better solution than Armur. Armur provides developers with next-generation security tools that help protect and enhance their work. One of the key features of Armur is its code-scanning tool.

This tool allows you to scan your Rust programs thoroughly, identifying any security issues that may be present. Furthermore, it offers detailed recommendations on how to fix these issues, ensuring that your code remains robust and secure.

To stay updated with the latest security discussions, you can join our discord server where we share valuable insights and learning resources such as SecOps, DevSec and Red Teaming. Additionally, you can try out Armur and get free 100 credits.

Armur Image