What is the problem?
Crates.io, as many other package repositories have the challenge to keep all the available packages in a reliable and secure way. Developers and users of these repositories put a lot of confidence in repository maintainers.
To keep a healthy repository of packages in crates.io we need to enforce as many as possible approaches to detect any kind of vulnerability.
With the increased use of dependencies between packages, the risk of vulnerability propagation increases. A small security problem in a famous crate can lead to a huge problem in many projects. We have seen many security problems like this one in other platforms like NPM.
Rust developers need a tool to answer those questions about their dependencies:
- Why a png library uses the network layer?
- Why a http library uses the file system layer?
- Read unauthorized files
- Do requests to untrusted domains
- Execute unauthorized programs
- Stolen information
- Stolen CPU resources
- Execute code unsafely
Proof of concept
You can find a POC for cargo permissions here: