canonicalize crate name before checking if it's reserved #591
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently reserved crate names come from a text file in the source. There are only two entries which consider canonicalization (e.g. the list contains `compiler-rt` and `compiler_rt`). The fact that the name is not canonicalized allows crates like https://crates.io/crates/std to be uploaded. While this definitely isn't a vulnerability, since the registry does *not* canonicalize the name, we should still disallow crates to be uploaded which appear at the same path as a reserved name, and would prevent a crate with a reserved name from being uploaded later. I've moved the actual data out of the text file, and into the database, so we can have a constraint which verifies this at the closest possible location. (We can't use an actual check constraint, as that disallows subselects). The crate referenced above should be manually deleted.
|
This also removes the code that was scanning the list linearly. +1 |
|
FWIW this list gets updates from time to time, so having it relatively easy to modify would be nice. This'd just require a migration per modification, right? |
|
Yes. There's no way to provide a database level constraint that doesn't require a migration per modification. I could write a binary that generates the migration automatically if you'd like (after #589) |
|
Seems fine 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently reserved crate names come from a text file in the source.
There are only two entries which consider canonicalization (e.g. the
list contains
compiler-rtandcompiler_rt). The fact that the nameis not canonicalized allows crates like https://crates.io/crates/std to
be uploaded. While this definitely isn't a vulnerability, since the
registry does not canonicalize the name, we should still disallow
crates to be uploaded which appear at the same path as a reserved name,
and would prevent a crate with a reserved name from being uploaded
later.
I've moved the actual data out of the text file, and into the database,
so we can have a constraint which verifies this at the closest possible
location. (We can't use an actual check constraint, as that disallows
subselects).
The crate referenced above should be manually deleted.