Cryptographically verifiable, distributed dependency reviews
Add the last reviewed version to Cargo.toml / [dependencies]:
string-interner = "0.7.1"
Please, use mobile in landscape.
Filter reviews clicking on the numbers in the summary.
Full column names in tooltip hints: rating Negative, rating Neutral, rating Positive, rating Strong, thoroughness, understanding, reviews count.
EDIT: The found unsoundness is reported as vulnerability (RUSTSEC-2019-0023).
This is already fixed in 0.7.1, so you should use 0.7.1 or above.
I've found unsoundness and reported it: https://github.com/Robbepop/string-interner/issues/9.
This is use after free, but user cannot access that dangling pointer directly,
and invalid write access will not happen.
This issue is caused by StringInterner::clone()
followed by StringInterner::{get,get_or_intern}
,
so this would affect many use cases.
This is the reason of negative rating.
Except for that issue, there seems no problem.
unsafe
at line 125 is safe thanks to assert!
at the previous line.unsafe
at line 165 is safe because
InternalStrRef
s are immutable,*const str
referring inside private Vec<Box<str>>
, andInternalStrRef
s are not taken or copied to the outside of StringInterner
type.InternalStrRef
refers string owned by another interner instance,unsafe impl
s at line 233 and 239 is safe as commented in the source.
Vec<Box<str>>
is not changed until drop.InternalStrRef
and its content pointers are not exposed to the users.Once the UB bug is fixed, this crate would be safe.
I've found unsoundness and reported it: https://github.com/Robbepop/string-interner/issues/9.
This is use after free, but user cannot access that dangling pointer directly,
and invalid write access will not happen.
This issue is caused by StringInterner::clone()
followed by StringInterner::{get,get_or_intern}
,
so this would affect many use cases.
This is the reason of negative rating.
Except for that issue, there seems no problem.
unsafe
at line 125 is safe thanks to assert!
at the previous line.unsafe
at line 165 is safe because
InternalStrRef
s are immutable,*const str
referring inside private Vec<Box<str>>
, andInternalStrRef
s are not taken or copied to the outside of StringInterner
type.InternalStrRef
refers string owned by another interner instance,unsafe impl
s at line 233 and 239 is safe as commented in the source.
Vec<Box<str>>
is not changed until drop.InternalStrRef
and its content pointers are not exposed to the users.Once the UB bug is fixed, this crate would be safe.
© bestia.dev 2023, MIT License, Version: 2023.608.1636
Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/
I have reviewed the previous version (0.7.0) and sent some patches to make the crate safer.
In this version, I found no security problems and no malicious code.
unsafe
at line 158 is safe becauseInternalStrRef
s and strings referred by them are immutable,InternalStrRef
s won't be dropped until the owning interner is dropped,*const str
referring inside privateVec<Box<str>>
which is owned by the same interner, andInternalStrRef
s are not taken or copied to the outside ofStringInterner
type.unsafe impl
s at line 248 and 254 is safe as commented in the source.Vec<Box<str>>
is not changed until the owning interner is dropped.InternalStrRef
s and their content pointers are not exposed to the users.I think this crate is safe to use.