Closed Shnatsel closed 3 years ago
Shnatsel
commented
3 years ago I've tried embedding the backspace ANSI sequence into the crate name in Cargo.toml and it fails to parse, so I assume the crate names are safe. According to the docs crates.io will impose even more restrictions.
The remaining question is whether you can create a Github username (not display name) with a terminal control sequence.
jyn514
commented
3 years ago If you really want to have nightmares take a look at https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/, escape sequences can write arbitrary data to disk.
Shnatsel
commented
3 years ago :sob:
Shnatsel
commented
3 years ago Github also allows only alphanumeric characters and hyphens in usernames, and we don't print the fancy names. So we're good unless crates.io decides to add a custom team implementation allowing weird characters in the future.
We currently print data received from crates.io as-is to terminal. This means that if there are any terminal control sequences embedded in it, they will be printed as-is and potentially affect the terminal.
For example, embedding a carriage return might allow erasing a line from the output, which would allow hiding some dependencies!
We need to either ensure that either both crates.io and Github do not allow and will never allow characters from that range in any fields we print, or add an extra pass that escapes those control sequences.