1. 31
  1.  

  2. 3

    TIL what soundness is, thanks for the nice write up :)

    1. 3

      Interesting way of using a crate to publish blog posts.

      1. 3

        There’s been even more inventive things in the past. Docs.rs allows arbitrary JavaScript (which is fine because it doesn’t have any authentication) so you end up with pages like https://docs.rs/pwnies/0.0.13/pwnies/

        1. 5

          I’m not convinced it’s that harmless. E.g. the pwnies crate could overlay a convincing fake docs.rs UI, and get you to download compromised source code if you follow manipulated links.

          1. 4

            Unfortunately it’s pretty hard to prevent such cases.

            Due to the nature of Rust builds (build scripts and proc macros can execute arbitrary code) all the HTML generated by rustdoc has to be treated as untrusted. Making things worse, rustdoc uses inline scripts and styles, so adding a CSP is probably not something we’ll be able to do. Even if rustdoc is tweaked to avoid emitting inline stuff, all the documentation generated in the past still uses those, and rebuilding everything from scratch is not really feasible anymore.

            We’re still trying to think about ways to prevent the issue, but we didn’t think of anything good yet. In the meantime, if you find something malicious hosted on docs.rs just hit the security team and we’ll remove it ASAP.

            1. 3

              There are crates like ammonia that will parse and sanitize HTML. This could be used on included HTML files and output from the markdown formatter.

              There are probably a few more holes in rustdoc from naive text-in-html concatenation, but these can be fixed by escaping.

              1. 1

                The problem is we can’t trust the output of rustdoc at all, as there are ways to bypass it completly if someone really wants.

              2. 1

                Put it in an iframe that’s (invisibly) hosted on a subdomain of a sandbox domain.. Crate-name.Sandbox-for-docs.rs

                Or use stuff like ammonia, bleach (python), dompurify (js) to sanitize bad stuff but keep “normal” html.

                1. 1

                  Put it in an iframe that’s (invisibly) hosted on a subdomain of a sandbox domain.. Crate-name.Sandbox-for-docs.rs

                  That was actually an idea I had a few weeks ago, but there are still a lot of open questions about UX and SEO we need to figure out before fully considering it.

                  Or use stuff like ammonia, bleach (python), dompurify (js) to sanitize bad stuff but keep “normal” html.

                  We can’t trust rustdoc to sanitize stuff.

              3. 2

                Well, downloading the source code from docs.rs is neither the easiest nor the safest way to get code … I’m not sure how likely that is in practice.