Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

typosquat: add suffix checks #7571

Merged
merged 1 commit into from
Nov 21, 2023
Merged

typosquat: add suffix checks #7571

merged 1 commit into from
Nov 21, 2023

Conversation

LawnGnome
Copy link
Contributor

This extends our new typosquatting checks (see #7206) to detect an attack vector we've seen more recently where a bad actor tries to squat an existing, popular crate by adding or removing a common suffix (such as -rs or -sys).

The suffix list in the configuration has been taken approximately from the most popular suffixes in the existing set of crates, with a small amount of human judgement involved on which ones are more likely to be abused based on recent incidents.

Most of this PR is actually tests by weight.

@LawnGnome
typosquat: add suffix checks
b6ce52d 
This extends our new typosquatting checks (see rust-lang#7206) to detect an
attack vector we've seen more recently where a bad actor tries to squat
an existing, popular crate by adding or removing a common suffix (such
as `-rs` or `-sys`).

The suffix list in the configuration has been taken _approximately_ from
the most popular suffixes in the existing set of crates, with a small
amount of human judgement involved on which ones are more likely to be
abused based on recent incidents.
@LawnGnome LawnGnome added C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works C-internal 🔧 Category: Nonessential work that would make the codebase more consistent or clear A-backend ⚙️ labels Nov 21, 2023
@LawnGnome LawnGnome self-assigned this Nov 21, 2023
Turbo87
Turbo87 approved these changes Nov 21, 2023
View reviewed changes
Copy link
Member

@Turbo87 Turbo87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good on first glance 👍

@LawnGnome LawnGnome merged commit 26adc56 into rust-lang:main Nov 21, 2023
6 checks passed
LawnGnome added a commit to LawnGnome/crates.io that referenced this pull request Jan 11, 2024
@LawnGnome
typosquat: check for prefixes being manipulated like suffixes
997d98d 
In rust-lang#7571, we added checks for crate names that added or removed suffixes
from popular crates. This has turned out to be a useful check! (Spoiler
alert for the blog post I'm publishing next week.)

@Turbo87 pointed out that this can also apply to prefixes, especially
`cargo-`. This generalises the suffix check to also check prefixes, and
adjusts the typomania configuration to add `cargo` to the list of
interesting affixes. For now, the same set of affixes will be used for
both, but depending on what we see, a future tweak would be to separate
the prefix and suffix lists. Let's see how that pans out.

In terms of implementation, I briefly toyed with making this generic
over the prefix/suffix combination to remove the copy/paste code, then
was reminded by rust-analyzer that `std::str::pattern::Pattern` isn't
stable. I'd rather duplicate 20 lines than deal with that, so here we
are.
@LawnGnome LawnGnome mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Turbo87 Turbo87 Turbo87 approved these changes

Assignees

@LawnGnome LawnGnome

Labels
A-backend ⚙️ C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works C-internal 🔧 Category: Nonessential work that would make the codebase more consistent or clear
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LawnGnome @Turbo87