Require explicit acknowledgement for risky Rust call analysis#2715
Require explicit acknowledgement for risky Rust call analysis#2715sumitshahorg wants to merge 6 commits intogoogle:mainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Add --allow-risky-rust-call-analysis and fail fast when --call-analysis=rust is enabled without explicit trust acknowledgement. Also add README warning and a small explanatory comment near the guard.
sumitshahorg
force-pushed
the
fix/rust-call-analysis-acknowledgement
branch
from
464c7ab to
7d8b3a0
Compare
sumitshahorg
left a comment
sumitshahorg
left a comment
There was a problem hiding this comment.
Added tests validating the Rust call-analysis safety guard.
|
Hi @sumitshahorg, thank you for your interest in contributing! We have already documented the potential risks of running rust call analysis on untrusted project in our documentation and the Additionally, your idea of requiring an explicit allow-flag is implemented in osv-scalibr #1730. However, because adding the same flag to osv-scanner will be a breaking change, we will only be able to include it in the osv-scanner v3 release. Thanks again for raising the concerns and PR! Please be assured that we are aware of this risk and are working towards stronger guardrails for risky plugins. |
2 participants
Summary
Introduce a safety guard for Rust call analysis to prevent unintended execution of untrusted code during scanning, explicitly addressing a Remote Code Execution (RCE) risk.
Problem
When
--call-analysis=rustis enabled, the scanner invokescargo build, which executesbuild.rsscripts. These scripts can contain arbitrary code and are executed automatically during the build process.This creates a Remote Code Execution (RCE) risk where scanning an untrusted project can lead to arbitrary code execution on the host system without explicit user awareness.
Solution
--allow-risky-rust-call-analysisbuild.rsBehavior Change
Before:
After:
Security Impact
build.rsNotes
This change does not alter functionality when explicitly enabled, but enforces a secure default by requiring user acknowledgement before executing potentially unsafe build steps.