Skip to main content

Module safety

rustinel_core

Module safety 

Source
Expand description

Hardening primitives that make rustinel safe to run against fully untrusted inputs (lockfiles, manifests, source trees, advisory databases, registry caches).

rustinel is a supply-chain tool, so it must never become a supply-chain attack vector itself. Every value that originates from analyzed data is treated as hostile:

  • No code execution. The core never runs build.rs, never compiles, and never spawns processes. (The CLI’s advisory update shells out to git with a fixed argument vector and no shell interpolation.)
  • No attacker-controlled network. The optional metadata lookup (in the CLI) fetches the crates.io sparse index over HTTPS with a fixed host and a validated crate-name path; no request target is ever derived from analyzed data, which removes SSRF as a class of bug.
  • Bounded I/O. Every file read is size-capped; directory walks are depth- and entry-bounded; symlinks are never followed during traversal.
  • Validated identifiers. Crate names/versions are validated before they are ever used to build a filesystem path or an index lookup, blocking path traversal and separator injection.

Constants§

MAX_ADVISORY_FILE_BYTES
Maximum bytes read from a single advisory document.
MAX_DIR_DEPTH
Maximum directory recursion depth for any walk.
MAX_DIR_ENTRIES
Maximum number of filesystem entries visited in a single walk.
MAX_NAME_LEN
Maximum length accepted for a crate name or version token.
MAX_SOURCE_FILE_BYTES
Maximum bytes read from a single source/manifest file.
MAX_VERSION_LEN

Functions§

has_no_parent_components
A path is “lexically clean” if it contains no .. components (used as a cheap pre-check before any join).
is_contained_within
True if child, once resolved, is contained within base. Both are canonicalized; if either cannot be canonicalized the check fails closed.
is_safe_crate_name
Validate a Cargo crate name for safe use in filesystem paths and index lookups. Conservative allowlist: ASCII alphanumerics plus - and _.
is_safe_path_segment
A single path segment that is safe to join onto a trusted base directory: non-empty, no separators, not a ./.. component.
is_safe_version
Validate a version token for safe use in a filesystem path. Allows the semver character set (alnum, ., +, -, _) and nothing else.
read_file_capped
Read a regular file, refusing anything larger than max_bytes, anything that is not a regular file, and reading at most max_bytes even if the file grows underneath us. Returns None (never an error) so callers degrade gracefully.