[tbb-bugs] #27616 [Applications/Tor Browser]: Double-check Rust code for potential proxy bypass in ESR 60

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 16 01:55:03 UTC 2018 

#27616: Double-check Rust code for potential proxy bypass in ESR 60
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  task                      |         Status:  new
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201810      |  Actual Points:
Parent ID:  #22176                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by sysrqb):

 Okay. Back to this.

 I took a slightly different approach.


 Step 1. Find all Cargo.toml files starting from the root of the repo.
 These will be useful next when we must find where the vendored crate is
 located within the repo.
 {{{
 $ find . -name Cargo.toml > all_cargo_toml
 }}}

 Step 2. Find the package name within each Cargo.toml files - these are the
 crate names we'll need later. These are of the form
 `path/to/Cargo.toml:name = "name-of-crate"`.
 {{{
 $ while read crate; do echo -n $crate:; grep -A4 '\[package\]' $crate |
 grep 'name ='; done < all_cargo_toml | grep 'toml:name =' >
 all_rust_crates
 }}}

 Step 3. From the list of crates, from the ones currently being used (or
 potentially being used)
 {{{
 $ while read crate; do grep "= \"$crate\"" all_rust_crates; done <
 rust_crates | sort > used_crates
 }}}

 Step 4. Search the used crates for expected proxy-bypass
 variables/functinos/methods/etc.
 {{{
 $ cut -d: -f 1 used_crates | sed 's/Cargo.toml//' | xargs grep -rni -E
 "tcp|udp|socket|bind|connect|listener|send|recv|stream" | grep -v -E
 "[bB]inding|[bB]indgen" | grep -ni --color=always -E
 "tcp|udp|socket|bind|connect|listener|send|recv|stream" | less -R
 }}}

 This resulted in 15373 matches.

 We can prevent 100 matches by excluding the directories audited in the
 previous comment.
 {{{
 $ cut -d: -f 1 used_crates | sed 's/Cargo.toml//' | xargs grep -rni -E
 "tcp|udp|socket|bind|connect|listener|send|recv|stream" | grep -v -E
 "[bB]inding|[bB]indgen" | grep -v -e '^./media/mp4parse-
 rust/mp4parse_capi' -e '^./servo/support/gecko/nsstring' -e
 '^./xpcom/rust/nserror' -e '^./netwerk/base/rust-helper' -e
 '^./xpcom/rust/xpcom' -e '^./modules/libpref/parser' -e '^./netwerk/base
 /rust-url-capi' -e '^./dom/webauthn/u2f-hid-rs' -e '^servo/ports/geckolib'
 | grep -ni --color=always -E
 "tcp|udp|socket|bind|connect|listener|send|recv|stream" | less -R
 }}}

 (to be to continued)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27616#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list