Shnatsel
Repos
122
Followers
246
Following
1

Auditing crates for unsafe code which can be safely replaced

471
6

Gather author, contributor and publisher data on crates in your dependency graph.

287
14

Make production Rust binaries auditable

300
11

Effortlessly fuzz libraries with large API surfaces

69
4

Events

create branch
Shnatsel create branch revamp-docs
Created at 13 hours ago
getEntries() always returns an empty result

Environment details

  • OS: latest gLinux
  • Node.js version: v18.10.0
  • npm version: 8.19.1
  • @google-cloud/logging version: 10.3.1

Steps to reproduce

  1. Copy the official sample to a JS file that can be run separately
  2. Fulfill the TODO in the sample by setting a log name
  3. Wrap the async function in a synchronous function that gets arguments from CLI
  4. Run it

For me this resulted in the following code:

'use strict';

function main(projectId) {
  const {Logging} = require('@google-cloud/logging');

  // Creates a client
  const logging = new Logging();

  /**
   * TODO(developer): Uncomment the following line to run the code.
   */
  // I have logs from this log name that I can see in Cloud Logging and fetch via Go samples,
  // but you can set this to any valid log name
  const log = logging.log(`projects/${projectId}/logs/batch_task_logs`);

  async function printEntryMetadata() {
    // List the most recent entries for a given log
    // See https://googleapis.dev/nodejs/logging/latest/Logging.html#getEntries
    const [entries] = await log.getEntries();
    console.log('Logs:');
    entries.forEach(entry => {
      const metadata = entry.metadata;
      console.log(`${metadata.timestamp}:`, metadata[metadata.payload]);
    });
  }
  printEntryMetadata();
  // [END batch_job_logs]
}

process.on('unhandledRejection', err => {
  console.error(err.message);
  process.exitCode = 1;
});
main(...process.argv.slice(2));

which can be run with node logging-bug-repro.js YOUR_PROJECT_ID

I have tried writing this myself before discovering the sample, and converged on basically the same code as the sample, which still always returns no elements. So I suspect the issue is with the client library rather than the sample.

The official sample is also not covered by tests.

Similar code in Go and Python works fine.

Created at 21 hours ago
Incompatibility with sccache on long builds

Fix released as v0.5.5

Created at 1 day ago
Shnatsel create tag v0.5.5
Created at 1 day ago
Fails when a rustc wrapper like sccache is set

The fix has shipped in sccache v0.3.1.

Created at 1 day ago

Add a note on sccache version compatibility to CHANGELOG.md

Created at 1 day ago

bump version for cargo-auditable

Update CHANGELOG.md

Created at 1 day ago

Add comment on test

Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error

cargo fmt

Created at 1 day ago

cope with failure to parse rustc args

add integration test for rustc -vV

Merge pull request #88 from tofay/sccache-fix

cope with failure to parse rustc args

Created at 1 day ago
Incompatibility with sccache on long builds

When using cargo auditable with sccache, cargo auditable sometimes panics. We're seeing that panic on long (5> mins) builds:

sccache: error: failed to execute compile
sccache: caused by: Compiler not supported: "thread \'main\' panicked at \'called `Result::unwrap()` on an `Err` value: MissingOption(Keys([\"--crate-name\", \"\"]))\', cargo-auditable/src/rustc_wrapper.rs:13:50\nnote: run with `RUST_BACKTRACE=1` environment variable to display a backtrace\n"

Running under strace shows that sccache is running /path/to/cargo-auditable rustc -vV when compiling a workspace member. Normally sccache runs this when compiling a dependency, and caches the information. On larger builds that cache expires causing sccache to run that command when compiling a workspace member, causing the panic

The panic can trivially by reproduced with

CARGO_PRIMARY_PACKAGE=foo ~/.cargo/bin/cargo-auditable rustc -vV
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: MissingOption(Keys(["--crate-name", ""]))', cargo-auditable/src/rustc_wrapper.rs:13:50
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

or by creating a new project without any dependencies and building with sccache and cargo auditable:

tom [ ~ ]$ cargo init new
     Created binary (application) package
tom [ ~ ]$ cd new
tom [ ~/new ]$ RUSTC_WRAPPER=/home/tom/.cargo/bin/sccache cargo auditable build
   Compiling new v0.1.0 (/home/tom/new)
sccache: error: failed to execute compile
sccache: caused by: Compiler not supported: "thread \'main\' panicked at \'called `Result::unwrap()` on an `Err` value: MissingOption(Keys([\"--crate-name\", \"\"]))\', cargo-auditable/src/rustc_wrapper.rs:13:50\nnote: run with `RUST_BACKTRACE=1` environment variable to display a backtrace\n"
error: could not compile `new`
Created at 1 day ago
pull request closed
cope with failure to parse rustc args

Don't panic if rustc args can't be parsed, instead just don't attempt to link auditable information. This is to fix running with sccache where it may run /path/to/cargo-auditable rustc -vV when compiling a workspace member.

I thought it better to cope generally with a failure to parse rustc args, but I could also see the merits of special casing -vV so as to make regressions more detectable in future. WDYT?

I've verified locally with a project that was previously failing, and by running

tom [ ~/cargo-auditable ]$ CARGO_PRIMARY_PACKAGE=foo ~/.target/debug/cargo-auditable rustc -vV
rustc 1.64.0-dev
binary: rustc
commit-hash: dd496d0
commit-date: 2022-09-24
host: x86_64-unknown-linux-gnu
release: 1.64.0-dev
LLVM version: 14.0.6

Fixes https://github.com/rust-secure-code/cargo-auditable/issues/87

Created at 1 day ago
cope with failure to parse rustc args

So I've tried my idea and it turned out to be way too complex. I'll just check for presence of --crate-name and if it's missing, treat the command as something other than compilation.

Created at 1 day ago
cope with failure to parse rustc args

I'll write this myself and put up a PR for your review.

Created at 1 day ago
cope with failure to parse rustc args

Turns out compiling without passing --crate-name is possible, so I would prefer to go with a whitelist of flags that don't compile anything. This is a list based on the current rustc help text:

-h, --help          Display this message
--print VALUE
--explain OPT   Provide a detailed explanation of an error message
-V, --version       Print version info and exit

As well as these compound flags:

-C help             Print codegen options
-W help             Print 'lint' options and default settings
--help -v           Print the full set of options rustc accepts
Created at 1 day ago
delete branch
Shnatsel delete branch capnp-redux
Created at 1 day ago

Add another capnp trophy

Merge pull request #120 from rust-fuzz/capnp-redux

Add another capnp trophy

Created at 1 day ago
pull request closed
Add another capnp trophy
Created at 1 day ago
pull request opened
Add another capnp trophy
Created at 1 day ago
create branch
Shnatsel create branch capnp-redux
Created at 1 day ago
closed issue
Add new buffer overflow in capnproto-rust

https://github.com/capnproto/capnproto/blob/master/security-advisories/2022-11-30-0-pointer-list-bounds.md

Created at 1 day ago
delete branch
Shnatsel delete branch assign-ids
Created at 1 day ago

Assigned RUSTSEC-2022-0069 to hyper-staticfile (#1478)

Co-authored-by: Shnatsel Shnatsel@users.noreply.github.com

Created at 1 day ago
pull request closed
Assigned RUSTSEC-2022-0069 to hyper-staticfile

Automated changes by create-pull-request GitHub action

Created at 1 day ago

Add hyper-staticfile file disclosure on Windows (#1475)

  • Add hyper-staticfile file disclosure on Windows

  • Fix version specification

Co-authored-by: Sergey "Shnatsel" Davidoff shnatsel@gmail.com

Created at 1 day ago
pull request closed
Add hyper-staticfile file disclosure on Windows

This adds an advisory for https://github.com/stephank/hyper-staticfile/issues/35.

The contents are heavily based on an existing tower-http advisory: https://github.com/rustsec/advisory-db/blob/a66a3049c98395410a2afadf0382882b0a04d8b1/crates/tower-http/RUSTSEC-2022-0043.md

Created at 1 day ago
issue comment
Add hyper-staticfile file disclosure on Windows

Thanks for the report!

I've fixed the version specification issue that caused CI to fail. Merging!

Created at 1 day ago

Fix version specification

Created at 1 day ago
delete branch
Shnatsel delete branch assign-ids
Created at 1 day ago

Assigned RUSTSEC-2022-0068 to capnp (#1477)

Co-authored-by: Shnatsel Shnatsel@users.noreply.github.com

Created at 1 day ago
pull request closed
Assigned RUSTSEC-2022-0068 to capnp

Automated changes by create-pull-request GitHub action

Created at 1 day ago