April was an odd month with a bunch of travel, vacation and sickness across the Rust Foundation technology team. That said, there were still some security-related updates to share.
The Rust Security Response WG was notified that the Rust standard library (among many other software development ecosystems) did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.
Due to the complexity of cmd.exe, the Security Response WG didn't identify a solution that would correctly escape arguments in all cases. To maintain API guarantees, they improved the robustness of the escaping code, and changed the Command API to return an InvalidInput error when it cannot safely escape an argument. This error will be emitted when spawning the process.
A blog post detailing the entire process was written.
The r2d2 database connection pool library has been removed from the crates.io backend code, since it appears to be unmaintained. It has been replaced by an async database connection pool library called deadpool, which is actively maintained and supported by diesel-async.
The crates.io test suite was migrated to async tests to make it easier to use async-only libraries in the test suite.
Now that the download traffic is no longer hitting the crates.io API servers, the crates.io team began to investigate performance issues and their potential solutions for the remaining API calls. The reverse dependencies endpoint in particular is not scaling well with the increased number of packages on crates.io. A default_versions database table was introduced as a first step to address some of these performance concerns.
Applications for both the C++/Rust Interop Initiative Software Engineer Lead and the Rust Infrastructure Engineer roles closed in March and we are deep into the interview/hiring process. We look forward to identifying the right candidates for these important positions soon.
With so many high-impact programs at the Foundation and a comparatively small team, the Foundation staff is looking forward to welcoming several new hires to help us scale and streamline our efforts.
Some of the Rust Foundation staff attended and participated in the Open Source Summit North America in Seattle, Washington, USA.
Joel and Walter attended the first in-person Alpha-Omega round table. Many recipients of Alpha-Omega funding were there. We discussed various security-related issues of the day (yes XZ was discussed) along with other ecosystem-specific items.
Joel was part of an OpenSSF TTX Panel where he played an open source maintainer in a vulnerability scenario.
Adam gave a presentation called Quantifying Nebraska discussing how basically all projects depend on each other and that the smaller projects also deserve thanks and resources.
Bec and Gracie gave a presentation around trademark policy, particularly the highs and lows of going through the process.
Joel was part of a joint presentation with Fastly around building global edge apps on the Fastly compute platform. Joel presented from the viewpoint of how the Foundation is using Fastly for secure and efficiently delivery of Rust Project resources.
Joel is working to establish a Rust Safety Critical Consortium amongst interested parties. An initial introductory meeting was had and now we are working on trying to determine and document a vision for such a consortium. This is early times and a work in progress, but is showing promise that a working group can come to fruition.