rustinel-core 0.1.1

Defensive Rust supply-chain risk analysis: static signals, policy and risk diff for Cargo lockfiles.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

use crate::errors::RustinelError;
use serde::{Deserialize, Serialize};
use std::collections::BTreeMap;
use std::path::{Path, PathBuf};

/// A fully-qualified package identity: `name@version` plus its source registry.
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
pub struct PackageId {
    pub name: String,
    pub version: String,
    pub source: Option<String>,
}

impl std::fmt::Display for PackageId {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}@{}", self.name, self.version)
    }
}

/// Canonical source string for packages resolved from the default crates.io
/// registry. Cargo normalises crates.io to this `registry+` form in `Cargo.lock`
/// regardless of the git/sparse fetch protocol, so it is the value seen in
/// practice. [`CRATES_IO_SPARSE`] is accepted as well for robustness.
pub const CRATES_IO_REGISTRY: &str = "registry+https://github.com/rust-lang/crates.io-index";

/// Sparse-index source string for crates.io. Not normally written to
/// `Cargo.lock` (cargo uses [`CRATES_IO_REGISTRY`]), but accepted defensively.
pub const CRATES_IO_SPARSE: &str = "sparse+https://index.crates.io/";

impl PackageId {
    /// A package with no `source` is a local/workspace crate, not a registry dep.
    pub fn is_local(&self) -> bool {
        self.source.is_none()
    }

    /// True only for packages sourced from the default crates.io registry.
    ///
    /// RustSec advisories are keyed to crates.io, so a git, path, or
    /// alternate-registry crate that merely shares a name with an advised
    /// crate must not be matched against it (matches cargo-audit behaviour).
    pub fn is_crates_io(&self) -> bool {
        matches!(
            self.source.as_deref(),
            Some(CRATES_IO_REGISTRY) | Some(CRATES_IO_SPARSE)
        )
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Package {
    pub id: PackageId,
    pub checksum: Option<String>,
    pub dependencies: Vec<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LockfileModel {
    pub path: PathBuf,
    pub version: Option<u32>,
    pub packages: Vec<Package>,
}

impl LockfileModel {
    /// Group packages by crate name (sorted). Used to detect duplicate versions.
    pub fn by_name(&self) -> BTreeMap<&str, Vec<&Package>> {
        let mut out: BTreeMap<&str, Vec<&Package>> = BTreeMap::new();
        for package in &self.packages {
            out.entry(&package.id.name).or_default().push(package);
        }
        out
    }

    /// Registry (non-local) packages only.
    pub fn registry_packages(&self) -> impl Iterator<Item = &Package> {
        self.packages.iter().filter(|p| !p.id.is_local())
    }
}

/// Parse a `Cargo.lock` from disk.
pub fn parse_lockfile(path: &Path) -> Result<LockfileModel, RustinelError> {
    let content = std::fs::read_to_string(path).map_err(|e| RustinelError::io(path, e))?;
    parse_lockfile_str(path.to_path_buf(), &content)
}

/// Parse a `Cargo.lock` via the `cargo-lock` crate, converting both its `Err`
/// and any **panic** it raises on malformed input into a clean error string.
///
/// `cargo-lock` v11 panics on some hostile lockfiles — e.g. a `checksum` that is
/// 64 *bytes* but not 64 ASCII chars makes it byte-slice across a UTF-8 char
/// boundary (`checksum.rs:48`, found by the fuzz harness). rustinel parses
/// untrusted lockfiles, so a dependency panic must never crash us. Only the
/// `cargo-lock` call is wrapped in `catch_unwind` (our own mapping code stays
/// outside the closure, so genuine bugs there remain observable), and the panic
/// hook is silenced for the duration so the output stays clean. Lockfile parsing
/// is single-threaded, so the temporary global hook swap cannot race another
/// thread's panic.
fn parse_cargo_lock(content: &str) -> Result<cargo_lock::Lockfile, String> {
    use std::panic::{catch_unwind, AssertUnwindSafe};
    let prev = std::panic::take_hook();
    std::panic::set_hook(Box::new(|_| {}));
    let result = catch_unwind(AssertUnwindSafe(|| content.parse::<cargo_lock::Lockfile>()));
    std::panic::set_hook(prev);
    match result {
        Ok(Ok(lockfile)) => Ok(lockfile),
        Ok(Err(e)) => Err(e.to_string()),
        Err(_) => Err("the lockfile parser rejected this input (guarded panic)".to_string()),
    }
}

/// Parse a `Cargo.lock` from an in-memory string.
///
/// Backed by the upstream [`cargo_lock`] crate so the full lockfile grammar
/// (v1–v4, git/path/registry sources, alternate registries) is handled
/// correctly. We map its model into our own [`LockfileModel`] so the rest of the
/// analysis is decoupled from the parser implementation. The top-level
/// `version = N` field is read separately because it is the lockfile's *format*
/// version, which we surface verbatim. Parsing is panic-guarded (see
/// [`parse_cargo_lock`]) because the input is untrusted.
pub fn parse_lockfile_str(path: PathBuf, content: &str) -> Result<LockfileModel, RustinelError> {
    let version = extract_top_version(content);

    let parsed: cargo_lock::Lockfile = parse_cargo_lock(content)
        .map_err(|msg| RustinelError::lockfile_parse(path.clone(), msg))?;

    let mut packages: Vec<Package> = parsed
        .packages
        .iter()
        .map(|p| Package {
            id: PackageId {
                name: p.name.as_str().to_string(),
                version: p.version.to_string(),
                source: p.source.as_ref().map(|s| s.to_string()),
            },
            checksum: p.checksum.as_ref().map(|c| c.to_string()),
            dependencies: p
                .dependencies
                .iter()
                .map(|d| d.name.as_str().to_string())
                .collect(),
        })
        .collect();

    // Deterministic ordering regardless of lockfile layout.
    packages.sort_by(|a, b| a.id.cmp(&b.id));

    Ok(LockfileModel {
        path,
        version,
        packages,
    })
}

/// Extract the top-level `version = N` (lockfile format version) that appears
/// before the first `[[package]]` block. Returns `None` for v1 lockfiles that
/// omit it.
fn extract_top_version(content: &str) -> Option<u32> {
    for line in content.lines() {
        let line = line.trim();
        if line.starts_with("[[package]]") {
            break;
        }
        // Tolerate any spacing around `=` (`version=3`, `version  =  3`, tabs).
        if let Some(rest) = line.strip_prefix("version") {
            if let Some(value) = rest.trim_start().strip_prefix('=') {
                return value.trim().trim_matches('"').parse::<u32>().ok();
            }
        }
    }
    None
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parses_simple_lockfile() {
        let input = r#"
version = 3

[[package]]
name = "serde"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
"#;
        let model = parse_lockfile_str(PathBuf::from("Cargo.lock"), input).unwrap();
        assert_eq!(model.version, Some(3));
        assert_eq!(model.packages.len(), 1);
        assert_eq!(model.packages[0].id.name, "serde");
        assert_eq!(
            model.packages[0].checksum.as_deref(),
            Some("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
        );
        assert!(!model.packages[0].id.is_local());
    }

    #[test]
    fn parses_dependencies_block() {
        // cargo-lock validates that every listed dependency resolves to a
        // package in the lockfile, so the referenced crates must be present.
        let input = r#"
version = 3

[[package]]
name = "itoa"
version = "1.0.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "ryu"
version = "1.0.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "serde"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "serde_json"
version = "1.0.114"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
dependencies = [
 "itoa",
 "ryu",
 "serde",
]
"#;
        let model = parse_lockfile_str(PathBuf::from("Cargo.lock"), input).unwrap();
        assert_eq!(model.packages.len(), 4);
        let sj = model
            .packages
            .iter()
            .find(|p| p.id.name == "serde_json")
            .unwrap();
        assert_eq!(sj.dependencies, vec!["itoa", "ryu", "serde"]);
    }

    #[test]
    fn local_workspace_crate_has_no_source() {
        let input = r#"
version = 3

[[package]]
name = "my-app"
version = "0.1.0"
dependencies = [
 "serde",
]

[[package]]
name = "serde"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
"#;
        let model = parse_lockfile_str(PathBuf::from("Cargo.lock"), input).unwrap();
        let app = model
            .packages
            .iter()
            .find(|p| p.id.name == "my-app")
            .unwrap();
        assert!(app.id.is_local());
        assert_eq!(model.registry_packages().count(), 1);
    }

    #[test]
    fn empty_lockfile_is_ok() {
        let model = parse_lockfile_str(PathBuf::from("Cargo.lock"), "version = 4\n").unwrap();
        assert!(model.packages.is_empty());
        assert_eq!(model.version, Some(4));
    }

    #[test]
    fn version_field_tolerates_nonstandard_spacing() {
        // The lockfile format version must parse regardless of spacing around `=`.
        assert_eq!(extract_top_version("version = 3\n"), Some(3));
        assert_eq!(extract_top_version("version=3\n"), Some(3));
        assert_eq!(extract_top_version("version  =  3\n"), Some(3));
        assert_eq!(extract_top_version("version =\t4\n"), Some(4));
        // A `version` after the first [[package]] is not the format version.
        assert_eq!(
            extract_top_version("[[package]]\nversion = \"9.9.9\"\n"),
            None
        );
        // A different key is not the version.
        assert_eq!(extract_top_version("name = \"x\"\n"), None);
    }

    #[test]
    fn malformed_package_block_errors() {
        let input = "[[package]]\nname = \"x\"\n"; // missing version
        let err = parse_lockfile_str(PathBuf::from("Cargo.lock"), input).unwrap_err();
        assert!(matches!(err, RustinelError::LockfileParse { .. }));
    }

    #[test]
    fn ordering_is_deterministic() {
        let input = r#"
[[package]]
name = "zzz"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "aaa"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
"#;
        let model = parse_lockfile_str(PathBuf::from("Cargo.lock"), input).unwrap();
        assert_eq!(model.packages[0].id.name, "aaa");
        assert_eq!(model.packages[1].id.name, "zzz");
    }

    #[test]
    fn malformed_utf8_checksum_does_not_panic() {
        // Regression for a panic the fuzz harness found in cargo-lock v11: a
        // `checksum` that is 64 *bytes* but contains a 2-byte UTF-8 char at an odd
        // byte offset makes cargo-lock byte-slice across a char boundary and
        // panic (`checksum.rs:48`). rustinel parses untrusted lockfiles, so this
        // must surface as a clean Err — never a panic that crashes the process.
        let bad = format!("{}\u{021C}{}", "a".repeat(61), "a"); // 61 + 2 + 1 = 64 bytes
        assert_eq!(
            bad.len(),
            64,
            "must be 64 bytes to pass cargo-lock's length gate"
        );
        let input = format!(
            "version = 3\n\n[[package]]\nname = \"x\"\nversion = \"1.0.0\"\n\
             source = \"registry+https://github.com/rust-lang/crates.io-index\"\n\
             checksum = \"{bad}\"\n"
        );
        let r = parse_lockfile_str(PathBuf::from("Cargo.lock"), &input);
        assert!(
            r.is_err(),
            "a malformed-checksum lockfile must be a clean Err, not a panic"
        );
    }
}