Allow disabling the CARGO_TREE variable in the output as it can contain sensitive information

baoyachi / shadow-rs

A build-time information stored in your rust project.(binary,lib,cdylib,dylib)

https://docs.rs/shadow-rs

MIT License

447 stars 41 forks source link

Allow disabling the CARGO_TREE variable in the output as it can contain sensitive information #114

Closed kleinesfilmroellchen closed 1 year ago

kleinesfilmroellchen commented 1 year ago

CARGO_TREE includes the dependency tree. This in turn will include the full file system path for any path dependencies, as is common for multi-crate projects. The file system path may contain sensitive information, and I do not want to rely on the linker removing CARGO_TREE from the built binary if I don't use it; I must be sure that the compiler never sees it.

Therefore I'm just asking for the ability to disable this build information variable via a feature flag or a build script configuration option.

baoyachi commented 1 year ago

I can support. I'm try do it.

baoyachi commented 1 year ago

hi @kleinesfilmroellchen I'm sorry I was a little late in solving this issue, but the new version can solve the problem you mentioned. Please use :

shadow-rs = "0.20.0"

see detail: https://docs.rs/shadow-rs/latest/shadow_rs/fn.new_deny.html

Change build.rs:

use std::collections::BTreeSet;

fn main() -> shadow_rs::SdResult<()> {
   let mut deny = BTreeSet::new();
   deny.insert(shadow_rs::CARGO_TREE);
   shadow_rs::new_deny(deny)
}

kleinesfilmroellchen commented 1 year ago

@baoyachi tyvm!