Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit Clap #49

Closed
omarabid opened this issue Nov 2, 2019 · 14 comments
Closed

Audit Clap #49

omarabid opened this issue Nov 2, 2019 · 14 comments

Comments

@omarabid
Copy link

omarabid commented Nov 2, 2019

Clap: https://github.com/clap-rs/clap

There is a single unsafe usage according to Cargo Geiger.
@alex
Copy link
Member

alex commented Nov 2, 2019

Looks like two instances of unsafe:

https://github.com/clap-rs/clap/blob/85f820fa04959be2acef9c831f98f1093c67f987/src/macros.rs#L470-L487

This seems fine, though it looks like an ad-hoc implementation of lazy_static!?

https://github.com/clap-rs/clap/blob/85f820fa04959be2acef9c831f98f1093c67f987/src/util/osstringext.rs#L23-L30

I think this is fine, although it's extremely not obvious -- I can barely tell what the desired behavior is.

@TyPR124
Copy link

TyPR124 commented Nov 2, 2019

In the first instance, could Box::into_raw be replaced with Box::leak to remove the need for unsafe pointer dereference?

@Lokathor
Copy link
Contributor

Lokathor commented Nov 2, 2019

yeah that whole thing can just be a Box::leak

@KillTheMule
Copy link

I think the latter function needs to be marked unsafe, since it does not check for wtf8 validity, see https://github.com/rust-lang/rust/blob/master/src/libstd/sys_common/wtf8.rs#L492.

@Shnatsel
Copy link
Member

Shnatsel commented Nov 2, 2019

@KillTheMule nice find! I think this might cause some actual memory unsafety down the line, potentially turning into a privilege escalation vulnerability.

Could you file a bug against clap describing the issue?

@KillTheMule
Copy link

I‘ll do so in the next few days.

@Shnatsel
Copy link
Member

Shnatsel commented Nov 2, 2019

I've opened a pull request to replace raw pointers with Box::leak(): clap-rs/clap#1593

@evanjs
Copy link

evanjs commented Nov 2, 2019

Okay, so it looks like we're going to be making these changes against master?
Wanted to clarify, what with the whole 3.0 rework and everything.

@Shnatsel
Copy link
Member

Shnatsel commented Nov 2, 2019

This code is identical in 2.33 and master (future 3.0), so I'd start with master and then backport to 2.x series.

@evanjs
Copy link

evanjs commented Nov 2, 2019

Sounds good. Thanks!
Didn’t look too deeply, I just remember having issues with feature parity between the two so I wasn’t sure.

@KillTheMule KillTheMule mentioned this issue Nov 3, 2019
Closed
@KillTheMule
Copy link

Opened an issue. Seems a tad more complicated to solve properly, but pretty contained and doable.

@kbknapp
Copy link

kbknapp commented Nov 3, 2019

For clarity, the PR is against master which will become v3.0. However, for things like this (removing unsafe), I'm also open to a PR against v2-master which could be put out as v2.34 until v3.0 is ready.

@brightly-salty
Copy link

Looks like this should be closed, as all related PRs and issues have been merged or closed?

@Shnatsel
Copy link
Member

Indeed. Thanks!

I'll also happily accept a PR adding clap to the trophy case in README.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@alex @Shnatsel @omarabid @evanjs @KillTheMule @Lokathor @kbknapp @TyPR124 @brightly-salty