Merge pull request #145 from rust-secure-code/wasm

WASM support

Author: Shnatsel

.github/workflows/linux.yml

@@ -27,6 +27,7 @@ jobs:
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: ${{ matrix.toolchain }}
+          target: "wasm32-unknown-unknown"
           profile: minimal
           override: true
       # multiple additional targets are not supported, so we invoke the action multiple times

.github/workflows/mac.yml

@@ -29,4 +29,5 @@ jobs:
           toolchain: ${{ matrix.toolchain }}
           profile: minimal
           override: true
+          target: "wasm32-unknown-unknown"
       - run: cargo test --all-features --workspace

.github/workflows/windows.yml

@@ -29,7 +29,7 @@ jobs:
           toolchain: ${{ matrix.toolchain }}
           profile: minimal
           override: true
-          target: "x86_64-pc-windows-msvc"
+          target: "wasm32-unknown-unknown"
       - name: "Test on the native x86_64-pc-windows-mscv"
         run: cargo test --all-features --workspace
       - name: "Test when cross-compiling to x86_64-pc-windows-gnu"

Cargo.lock

@@ -4,7 +4,7 @@ Know the exact crate versions used to build your Rust executable. Audit binaries
 
 This works by embedding data about the dependency tree in JSON format into a dedicated linker section of the compiled executable.
 
-Linux, Windows and Mac OS are officially supported. All other ELF targets should work, but are not tested on CI. WASM is currently not supported, but patches are welcome.
+Linux, Windows and Mac OS are officially supported. [WebAssembly](https://en.wikipedia.org/wiki/WebAssembly) is also supported starting with v0.6.3. All other ELF targets should work, but are not tested on CI.
 
 The end goal is to get Cargo itself to encode this information in binaries. There is an RFC for an implementation within Cargo, for which this project paves the way: https://github.com/rust-lang/rfcs/pull/2801
 

README.md

@@ -1,6 +1,6 @@
 [package]
 name = "auditable-extract"
-version = "0.3.2"
+version = "0.3.3"
 authors = ["Sergey \"Shnatsel\" Davidoff <shnatsel@gmail.com>"]
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/rust-secure-code/cargo-auditable"
@@ -12,3 +12,7 @@ edition = "2018"
 
 [dependencies]
 binfarce = "0.2"
+wasmparser = { version = "0.206.0", optional = true }
+
+[features]
+wasm = ["wasmparser"]

auditable-extract/Cargo.toml

@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage

auditable-extract/fuzz/.gitignore

@@ -0,0 +1,30 @@
+[package]
+name = "auditable-extract-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.auditable-extract]
+path = ".."
+features = ["wasm"]
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[profile.release]
+debug = 1
+
+[[bin]]
+name = "parse_wasm"
+path = "fuzz_targets/parse_wasm.rs"
+test = false
+doc = false
+
+# The other format parsers are tested as part of the `binfarce` crate

auditable-extract/fuzz/Cargo.toml

@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = auditable_extract::raw_auditable_data_wasm_for_fuzz(data);
+});

auditable-extract/fuzz/fuzz_targets/parse_wasm.rs

@@ -5,7 +5,7 @@
 //!
 //! This crate parses platform-specific binary formats ([ELF](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format),
 //! [PE](https://en.wikipedia.org/wiki/Portable_Executable),
-//! [Mach-O](https://en.wikipedia.org/wiki/Mach-O)) and obtains the compressed audit data.
+//! [Mach-O](https://en.wikipedia.org/wiki/Mach-O), [WASM](https://en.wikipedia.org/wiki/WebAssembly)) and obtains the compressed audit data.
 //!
 //! Unlike other binary parsing crates, it is specifically designed to be resilient to malicious input.
 //! It 100% safe Rust (including all dependencies) and performs no heap allocations.
@@ -15,7 +15,7 @@
 //! **Note:** this is a low-level crate that only implements binary parsing. It rarely should be used directly.
 //! You probably want the higher-level [`auditable-info`](https://docs.rs/auditable-info) crate instead.
 //!
-//! The following snippet demonstrates full extraction pipeline, including decompression
+//! The following snippet demonstrates full extraction pipeline using this crate, including decompression
 //! using the safe-Rust [`miniz_oxide`](http://docs.rs/miniz_oxide/) and optional JSON parsing
 //! via [`auditable-serde`](http://docs.rs/auditable-serde/):
 //!
@@ -42,6 +42,22 @@
 //!     Ok(())
 //! }
 //! ```
+//!
+//! ## WebAssembly support
+//!
+//! We use a third-party crate [`wasmparser`](https://crates.io/crates/wasmparser)
+//! created by Bytecode Alliance for parsing WebAssembly.
+//! It is a robust and high-quality parser, but its dependencies contain some `unsafe` code,
+//! most of which is not actually used in our build configuration.
+//!
+//! We have manually audited it and found it to be sound.
+//! Still, the security guarantees for it are not as ironclad as for other parsers.
+//! Because of that WebAssembly support is gated behind the optional `wasm` feature.
+//! Be sure to [enable](https://doc.rust-lang.org/cargo/reference/features.html#dependency-features)
+//! the `wasm` feature if you want to parse WebAssembly.
+
+#[cfg(feature = "wasm")]
+mod wasm;
 
 use binfarce::Format;
 
@@ -75,10 +91,22 @@ pub fn raw_auditable_data(data: &[u8]) -> Result<&[u8], Error> {
                 .ok_or(Error::NoAuditData)?;
             Ok(data.get(section.range()?).ok_or(Error::UnexpectedEof)?)
         }
-        _ => Err(Error::NotAnExecutable),
+        Format::Unknown => {
+            #[cfg(feature = "wasm")]
+            if data.starts_with(b"\0asm") {
+                return wasm::raw_auditable_data_wasm(data);
+            }
+
+            Err(Error::NotAnExecutable)
+        }
     }
 }
 
+#[cfg(all(fuzzing, feature = "wasm"))]
+pub fn raw_auditable_data_wasm_for_fuzz(input: &[u8]) -> Result<&[u8], Error> {
+    wasm::raw_auditable_data_wasm(input)
+}
+
 #[derive(Debug, Copy, Clone)]
 pub enum Error {
     NoAuditData,