1. 3

    Interesting way of using a crate to publish blog posts.

    1. 3

      There’s been even more inventive things in the past. Docs.rs allows arbitrary JavaScript (which is fine because it doesn’t have any authentication) so you end up with pages like https://docs.rs/pwnies/0.0.13/pwnies/

      1. 5

        I’m not convinced it’s that harmless. E.g. the pwnies crate could overlay a convincing fake docs.rs UI, and get you to download compromised source code if you follow manipulated links.

        1. 4

          Unfortunately it’s pretty hard to prevent such cases.

          Due to the nature of Rust builds (build scripts and proc macros can execute arbitrary code) all the HTML generated by rustdoc has to be treated as untrusted. Making things worse, rustdoc uses inline scripts and styles, so adding a CSP is probably not something we’ll be able to do. Even if rustdoc is tweaked to avoid emitting inline stuff, all the documentation generated in the past still uses those, and rebuilding everything from scratch is not really feasible anymore.

          We’re still trying to think about ways to prevent the issue, but we didn’t think of anything good yet. In the meantime, if you find something malicious hosted on docs.rs just hit the security team and we’ll remove it ASAP.

          1. 3

            There are crates like ammonia that will parse and sanitize HTML. This could be used on included HTML files and output from the markdown formatter.

            There are probably a few more holes in rustdoc from naive text-in-html concatenation, but these can be fixed by escaping.

            1. 1

              The problem is we can’t trust the output of rustdoc at all, as there are ways to bypass it completly if someone really wants.

            2. 1

              Put it in an iframe that’s (invisibly) hosted on a subdomain of a sandbox domain.. Crate-name.Sandbox-for-docs.rs

              Or use stuff like ammonia, bleach (python), dompurify (js) to sanitize bad stuff but keep “normal” html.

              1. 1

                Put it in an iframe that’s (invisibly) hosted on a subdomain of a sandbox domain.. Crate-name.Sandbox-for-docs.rs

                That was actually an idea I had a few weeks ago, but there are still a lot of open questions about UX and SEO we need to figure out before fully considering it.

                Or use stuff like ammonia, bleach (python), dompurify (js) to sanitize bad stuff but keep “normal” html.

                We can’t trust rustdoc to sanitize stuff.

            3. 2

              Well, downloading the source code from docs.rs is neither the easiest nor the safest way to get code … I’m not sure how likely that is in practice.

        1. 5

          Yes! An offline mode for cargo. Has anyone built an easy cargo mirror so I can have fun on planes? I’ll just stick it all on an external drive and live happy.

          1. 4

            Nick Cameron’s post mentions:

            Alternatively you can use the prefetch facility in cargo-cacher to cache the entire crates.io registry or individual crates.

            1. 5

              I’m not sure if an implementation currently exists but it should be fairly easy to create. All the packages ever uploaded to crates.io currently weight around 24 GB, so it’s also cheap in terms of local storage required.