It is in fact possible to audit the build.rs of published crates
jyn514 opened this issue · comments
I read your article "Backdooring Rust crates for fun and profit" today which said:
While it’s possible to audit the code of a crate on https://docs.rs on clicking on a [src] button, it turns that I couldn’t find a way to inspect build.rs files. Thus, combined with a malicious update, it’s the almost perfect backdoor.
There is a way to view build.rs files, you just have to use docs.rs' source view on /crate instead of rustdoc's. e.g. for boring-sys you can see the build.rs on https://docs.rs/crate/boring-sys/1.1.1/source/build.rs.
Fixed, Thank you very much 🙏