Description
clippy is a Rust linting tool designed to detect common Rust mistakes and provide helpful suggestions for how to improve code. A list of the lints it presently supports is here:
https://rust-lang.github.io/rust-clippy/master/
Among these are "restriction" (opt-in) security lints! These are not (upon cursory inspection) presently leveraged for security, but clippy's original author @Manishearth has suggested they could be and patches for security-related lints are welcome (potentially including lints for popular ecosystem crates!). There's ample precedent for detecting similar unsafe patterns through AST analysis in other languages, so extending clippy with restriction lints for security seems worth pursuing.
Below is a table of lints taken from a similar tool, the gosec project, which operates using clippy-like AST analysis. These are intended as food for thought, and some may not make sense as clippy lints or for Rust in general (I've removed ones which audit unsafe and things like #![must_use]), but seem like a reasonably good starting point for figuring out which ones would be most valuable for clippy:
General
| Name | Description | |
|---|---|---|
| ⬜ | Hard-coded credentials | Hardcoded passwords, crypto keys, or other secrets |
| ⬜ | Restrict net binding | Network listeners which bind to all interfaces |
| ⬜ | Bignum usage patterns | Unsafe bignum usage patterns |
| ⬜ | Command execution | Unsafe command execution patterns (e.g. shell escaping) |
| ⬜ | Directory permissions | Avoid creating directories with overly broad permissions |
| ⬜ | File permissions | Avoid creating or setting overly broad file permissions |
| ⬜ | Temporary files | Enforce safe temporary file patterns (via tempfile crate?) |
| ⬜ | Attacker-controlled paths | Avoid opening files based on attacker-controlled paths |
Crate-specific
| Crate | Name | Description | |
|---|---|---|---|
| ⬜ | askama / tera ? | HTML escaping | Disallow attacker-controlled unescaped data |
| ⬜ | diesel | SQL query construction | Disallow unescaped attacker-controlled parameters in SQL queries |
| ⬜ | hyper? | Attacker-controlled URLs | Disallow attacker-controlled URLs |
| ⬜ | md5, md-5, sha1, sha-1, rust-crypto | Broken crypto | Detect use of broken cryptographic primitives (and/or unmaintained crypto crates?) |
| ⬜ | openssl / rustls | TLS Settings | Detect bad TLS connection settings |
| ⬜ | ssh2? | Host key verification | Ensure SSH host keys are verified |
| ⬜ | tar / zip? | Directory traversal | Avoid unsafe usage patterns that could result in directory traversal attacks |
Please let me know if you think some of these should definitely be added to clippy, or if ones don't make sense or are otherwise out-of-scope and I will update the table accordingly.
If there's agreement on some high priority ones to work on, I think the next step is to create specific issues about them on https://github.com/rust-lang/rust-clippy i.e. this issue is just for discussion and to get the ball rolling, and after that we should move things over to the clippy repo proper.