cursive icon indicating copy to clipboard operation
cursive copied to clipboard
verified publisher icon gyscos

[BUG] owning_ref vulnerability

Open DJDuque opened this issue 3 years ago • 7 comments

cursive-core uses owning-ref crate, which has a couple of issues as described here: https://github.com/noamtashma/owning-ref-unsoundness

The maintainer of owning_ref seems unresponsive, and I was wondering if there are any plans to move away from having this crate as a dependency? Is Cursive affected by the unsound api of owning_ref?

DJDuque avatar Sep 25 '22 19:09 DJDuque

Hi,

I don't think we use the affected API directly form cursive. We do re-export a OwningHandle type, so users could possibly call the unsound APIs themselves on this, but that's not exactly something we can do anything about (and its' not a usage we even mention).

If a more supported alternative exists (or if/when the same simple use-case we need can be handled without unsafe), I could absolutely consider switching.

gyscos avatar Sep 26 '22 14:09 gyscos

More details here: https://rustsec.org/advisories/RUSTSEC-2022-0040

dbrgn avatar Sep 27 '22 09:09 dbrgn

What we want is Arc/Rc projection. Here's a thread from last year about it (also mentioning owning-ref, and its soundness issues): https://internals.rust-lang.org/t/field-projection-for-rc-and-arc/15827

For some restricted use-cases of common combinations (Rc<RefCell<T>> and Arc<Mutex<T>>), it should be possible to have a safe API - which is exactly what owning-ref does (only owning-ref also adds other less safe APIs). Something like shared-rc (though that particular crate is still very new).

yoke might also be an interesting replacement.

gyscos avatar Sep 29 '22 14:09 gyscos

shared-rc looks promising

alexanderkjall avatar Mar 03 '23 22:03 alexanderkjall

After toying with ouroboros, I ended up using parking_lot and its ArcMutexGuard, which looks exactly like what we need: a popular, maintained crate with a specific-purpose implementation avoiding most of the pitfalls from general-purpose self-referencing libs.

  • yoke is mostly focused on zero-copy deserialization, and it shows in the Yokeable trait, which is not implemented for anything close to a mutex.
  • self_cell looked promising but does not support generics (we need to be generic on V: View).
  • ouroboros was interesting but did not support DerefMut<Target = V> for soundness reason in the general case, which would have broken the current API.
  • guardian looked like it could be a fit, but with no dependent and low usage, it felt a bit risky.

gyscos avatar Jan 02 '24 21:01 gyscos

Would it be possible to just switch to https://crates.io/crates/safer_owning_ref? It's owning_ref but with the security issue fixed :)

TobiPeterG avatar Mar 23 '24 23:03 TobiPeterG

In my previous post I mentioned switching to parking_lot, but apparently I only did that for NamedView - the main use of owning_ref I had.

Turns out there was another use of it in TextView, but here it was entirely useless. I have now removed owning_ref entirely from the dependencies.

gyscos avatar Mar 27 '24 15:03 gyscos