Bug: Allowing build script also allows executables #763
Description
Describe the bug
bans.build.bypass field build-script also allows all executables
To reproduce
I'm trying to limit arbitrary code executed at build time. I get this:
cargo deny check ban --hide-inclusion-graph
error[detected-executable]: detected executable
├ path = '$CARGO_HOME/registry/src/index.crates.io-1949cf8c6b5b557f/lzma-sys-0.1.20/xz-5.2/tests/compress_prepared_bcj_sparc'
├ executable-kind = 'elf'
error[detected-executable]: detected executable
├ path = '$CARGO_HOME/registry/src/index.crates.io-1949cf8c6b5b557f/lzma-sys-0.1.20/xz-5.2/tests/compress_prepared_bcj_x86'
├ executable-kind = 'elf'
So I add to deny.toml:
[[bans.build.bypass]]
crate = "lzma-sys"
allow = [
{ path = "xz-5.2/tests/compress_prepared_bcj_sparc'", checksum = "898511c9fbfd1ff3ad474638283a82a0bc0ca11fcb47e7a7e1f8b0758d999ee2" },
]Only to get
warning[unmatched-path-bypass]: allowed path was not encountered
Okay, fine, #571 (comment) tells me I have to include build too. That would be nice to see documented!
So I change deny.toml to
[[bans.build.bypass]]
crate = "lzma-sys"
build-script = "052d600babd2f95d9549f2b846e6dcf1e39b1c15d4fa6a293797ce1c85199e24"
allow = [
{ path = "xz-5.2/tests/compress_prepared_bcj_sparc'", checksum = "898511c9fbfd1ff3ad474638283a82a0bc0ca11fcb47e7a7e1f8b0758d999ee2" },
]and it passes.
Being paranoid, I test
[[bans.build.bypass]]
crate = "lzma-sys"
build-script = "052d600babd2f95d9549f2b846e6dcf1e39b1c15d4fa6a293797ce1c85199e24"and it passes too! This should not have happened.
I wonder if allow has funny default behavior, so I also test:
[[bans.build.bypass]]
crate = "lzma-sys"
build-script = "052d600babd2f95d9549f2b846e6dcf1e39b1c15d4fa6a293797ce1c85199e24"
allow = []And that passes too.
I allowed a build script, but it silenced the denial of executables!
cargo-deny version
cargo-deny 0.18.2
What OS were you running cargo-deny on?
Linux
Additional context
No response