safety-dance
safety-dance copied to clipboard
rust-secure-code
Auditing crates for unsafe code which can be safely replaced
https://docs.rs/bytes/0.4.12/bytes/ Slice-like type with atomic reference counting on top. Insanely popular - 12,000 downloads/day. Used in `reqwest`, `tokio-tcp` and `hyper`, exposed to untrusted data from the network. Contains plenty of...
`log`: [GitHub](https://github.com/rust-lang/log), [crates.io](https://crates.io/crates/log) Reverse dependencies: ~~4456~~ [many](https://crates.io/crates/log/reverse_dependencies), including `rand`, `env_logger`, and `tokio`. I was surprised to see so many usages of unsafe in a logging crate: ``` Functions Expressions Impls...
unicode-normalization: [GitHub](https://github.com/unicode-rs/unicode-normalization), [crates.io](https://crates.io/crates/unicode-normalization) Another widely-used crate. Discovered some unsafe expressions when checking url (#51). Once again, no clue if any of these are safe. ``` Metric output format: x/y x...
I would love to use Cap'n Proto, but it is full of unsafe code (~3000 lines).
This is a very popular crate (10k downloads / day, >2M all time), and is also a potential attack target, due to the fact that it is intended to be...
`itoa` has fast functions for printing integers. It's a dependency of `serde_json` so is included in lots of things. It's by the awesome dtolnay so I suspect it's unlikely we...
https://crates.io/crates/actix-web High-profile Rust web framework, perhaps the most popular one. Contains some potentially unnecessary unsafe code. Actix-web has already gotten [plenty of bad publicity](https://web.archive.org/web/20180827090330/https://www.reddit.com/r/rust/comments/8s7gei/unsafe_rust_in_actixweb_other_libraries/) (including [very recently](https://64.github.io/actix/)) for judicious use...
We encounter a lot of unsafe code that can be converted to safe. We should start cataloguing the antipatterns we discover and document how to convert them to safe code....
`miniz_oxide` has undergone a significant safety improvement recently (see #2). It had plenty of avoidable unsafe code. We should look through the changes and request Clippy lints for the antipatterns...
Tried to audit [image](https://crates.io/crates/image) and was hit by a slew of unsafe dependencies. The largest (yet unfiled) crate seemed to be [byteorder](https://crates.io/crates/byteorder). ``` Functions Expressions Impls Traits Methods Dependency 1/1...
Metadata
Owner
Metadata
Auditing crates for unsafe code which can be safely replaced