Disallow setting registry tokens with --config

author Jon Gjengset <jongje@amazon.com>

Tue, 19 Apr 2022 16:43:20 +0000 (09:43 -0700)

committer Jon Gjengset <jongje@amazon.com>

Tue, 19 Apr 2022 16:43:25 +0000 (09:43 -0700)
author Jon Gjengset <jongje@amazon.com>
Tue, 19 Apr 2022 16:43:20 +0000 (09:43 -0700)
committer Jon Gjengset <jongje@amazon.com>
Tue, 19 Apr 2022 16:43:25 +0000 (09:43 -0700)
diff --git a/src/cargo/util/config/mod.rs b/src/cargo/util/config/mod.rs

index 15414ece9afc46cca05a077230e6af8f887a534b..2f8659a279b14031f6c807de421bd61bb331f8aa 100644 (file)
--- a/src/cargo/util/config/mod.rs
+++ b/src/cargo/util/config/mod.rs
@@ -1244,10 +1244,28 @@ impl Config {
                      );
                  }
  
-                let toml_v = toml::from_document(doc).with_context(|| {
+                let toml_v: toml::Value = toml::from_document(doc).with_context(|| {
                      format!("failed to parse value from --config argument `{arg}`")
                  })?;
  
+                if toml_v
+                    .get("registry")
+                    .and_then(|v| v.as_table())
+                    .and_then(|t| t.get("token"))
+                    .is_some()
+                {
+                    bail!("registry.token cannot be set through --config for security reasons");
+                } else if let Some((k, _)) = toml_v
+                    .get("registries")
+                    .and_then(|v| v.as_table())
+                    .and_then(|t| t.iter().find(|(_, v)| v.get("token").is_some()))
+                {
+                    bail!(
+                        "registries.{}.token cannot be set through --config for security reasons",
+                        k
+                    );
+                }
+
                  CV::from_toml(Definition::Cli, toml_v)
                      .with_context(|| format!("failed to convert --config argument `{arg}`"))?
              };
diff --git a/tests/testsuite/config_cli.rs b/tests/testsuite/config_cli.rs

index db4c8600fc625e16c2a883648c6d8848df99dbff..dd08e13d103fd001e7c1914596db3991127f1cff 100644 (file)
--- a/tests/testsuite/config_cli.rs
+++ b/tests/testsuite/config_cli.rs
@@ -368,6 +368,24 @@ b=2` was not a TOML dotted key expression (such as `build.jobs = 2`)",
      );
  }
  
+#[cargo_test]
+fn no_disallowed_values() {
+    let config = ConfigBuilder::new()
+        .config_arg("registry.token=\"hello\"")
+        .build_err();
+    assert_error(
+        config.unwrap_err(),
+        "registry.token cannot be set through --config for security reasons",
+    );
+    let config = ConfigBuilder::new()
+        .config_arg("registries.crates-io.token=\"hello\"")
+        .build_err();
+    assert_error(
+        config.unwrap_err(),
+        "registries.crates-io.token cannot be set through --config for security reasons",
+    );
+}
+
  #[cargo_test]
  fn no_inline_table_value() {
      // Disallow inline tables
author	Jon Gjengset <jongje@amazon.com>
	Tue, 19 Apr 2022 16:43:20 +0000 (09:43 -0700)
committer	Jon Gjengset <jongje@amazon.com>
	Tue, 19 Apr 2022 16:43:25 +0000 (09:43 -0700)
src/cargo/util/config/mod.rs		patch \| blob \| blame \| history
tests/testsuite/config_cli.rs		patch \| blob \| blame \| history