cargo-caps 0.0.1

Audit what a crate is capable of by analyzing what linker symbols it emits
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

use std::{
    fs,
    io::{Cursor, Read as _},
};

use anyhow::{Context as _, Result};
use cargo_metadata::camino::Utf8Path;
use object::{
    Object as _, ObjectSymbol as _, SymbolKind as ObjectSymbolKind,
    SymbolScope as ObjectSymbolScope,
};

pub use capability::{Capability, CapabilitySet};

use crate::symbol::{Symbol, SymbolKind, SymbolScope};

mod build_graph_analysis;
mod cap_rule;
mod capability;
mod checker;
mod commands;
mod config;
mod crate_name;
mod demangle;
mod print;
mod reservoir_sample;
mod rust_path;
mod rust_type;
mod symbol;
mod tree;

pub use commands::Commands;
use crate_name::CrateName;

/// Extract symbols from an binary, e..g an executable, `.dylib`, or an `.rlib`.
fn extract_symbols(binary_path: &Utf8Path) -> Result<Vec<Symbol>> {
    let file_bytes =
        fs::read(binary_path).with_context(|| format!("Failed to read {binary_path}"))?;

    // Check if it's an ar archive (rlib files are ar archives)
    let is_ar_archive = file_bytes.starts_with(b"!<arch>\n");

    let mut symbols = Vec::new();

    if is_ar_archive {
        // .rlib
        let mut archive = ar::Archive::new(Cursor::new(file_bytes));

        // Extract and process each object file in the archive
        while let Some(entry_result) = archive.next_entry() {
            let mut entry = entry_result.context("Failed to read archive entry")?;

            // Skip non-object files (like metadata files)
            let header = entry.header();
            let filename = String::from_utf8_lossy(header.identifier());

            if !filename.ends_with(".o") {
                continue;
            }

            // Read the object file data
            let mut obj_data = Vec::new();
            entry
                .read_to_end(&mut obj_data)
                .context("Failed to read object file from archive")?;

            // Parse the object file and extract symbols
            if let Ok(file) = object::File::parse(&*obj_data) {
                collect_file_symbols(&mut symbols, &file);
            } else {
                // TODO: Return error
            }
        }
    } else {
        // Assume an executable or dylib
        let file =
            object::File::parse(&*file_bytes).with_context(|| "Failed to parse binary file")?;
        collect_file_symbols(&mut symbols, &file);
    }

    Ok(symbols)
}

/// Filter symbols based on scope and kind preferences
pub fn filter_symbols(
    symbols: Vec<Symbol>,
    include_local: bool,
    include_all_kinds: bool,
) -> Vec<Symbol> {
    symbols
        .into_iter()
        .filter(|symbol| {
            // Filter by scope - exclude local compilation symbols by default
            let scope_allowed = include_local || !matches!(symbol.scope, SymbolScope::Compilation);

            // Filter by kind - only include executable code and unknown by default
            let kind_allowed = include_all_kinds
                || matches!(
                    symbol.kind,
                    SymbolKind::Text | SymbolKind::Label | SymbolKind::Unknown
                );

            scope_allowed && kind_allowed
        })
        .collect()
}

fn collect_file_symbols(all_symbols: &mut Vec<Symbol>, file: &object::File<'_>) {
    for symbol in file.symbols() {
        if let Ok(name) = symbol.name()
            && !name.is_empty()
        {
            let scope = match symbol.scope() {
                ObjectSymbolScope::Unknown => SymbolScope::Unknown,
                ObjectSymbolScope::Compilation => SymbolScope::Compilation,
                ObjectSymbolScope::Linkage => SymbolScope::Linkage,
                ObjectSymbolScope::Dynamic => SymbolScope::Dynamic,
            };

            #[expect(clippy::match_same_arms)]
            let kind = match symbol.kind() {
                ObjectSymbolKind::Unknown => SymbolKind::Unknown,
                ObjectSymbolKind::Text => SymbolKind::Text,
                ObjectSymbolKind::Data => SymbolKind::Data,
                ObjectSymbolKind::Section => SymbolKind::Section,
                ObjectSymbolKind::File => SymbolKind::File,
                ObjectSymbolKind::Label => SymbolKind::Label,
                ObjectSymbolKind::Tls => SymbolKind::Tls,
                _ => SymbolKind::Unknown,
            };

            all_symbols.push(Symbol::with_metadata(name.to_owned(), scope, kind));
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_filter_symbols() {
        let symbols = vec![
            Symbol::with_metadata("func1".to_owned(), SymbolScope::Linkage, SymbolKind::Text),
            Symbol::with_metadata(
                "local_func".to_owned(),
                SymbolScope::Compilation,
                SymbolKind::Text,
            ),
            Symbol::with_metadata(
                "data_var".to_owned(),
                SymbolScope::Linkage,
                SymbolKind::Data,
            ),
            Symbol::with_metadata("label1".to_owned(), SymbolScope::Dynamic, SymbolKind::Label),
            Symbol::with_metadata(
                "unknown_sym".to_owned(),
                SymbolScope::Linkage,
                SymbolKind::Unknown,
            ),
        ];

        // Default filtering: exclude local compilation and non-executable (except unknown)
        let filtered = filter_symbols(symbols.clone(), false, false);
        assert_eq!(filtered.len(), 3); // func1, label1, unknown_sym

        // Include local symbols
        let filtered = filter_symbols(symbols.clone(), true, false);
        assert_eq!(filtered.len(), 4); // func1, local_func, label1, unknown_sym

        // Include all kinds
        let filtered = filter_symbols(symbols.clone(), false, true);
        assert_eq!(filtered.len(), 4); // func1, data_var, label1, unknown_sym

        // Include everything
        let filtered = filter_symbols(symbols, true, true);
        assert_eq!(filtered.len(), 5); // all symbols
    }
}