How safe is it to build Rust code in the wild

From time to time I want to build and run certain open source Rust programs.
How careful should I be and what code should I vet before running cargo build?
As far as I understand, I should check build.rs in all of the crates in the project, check all proc-macro code and verify that there are no fishy dependencies (since those might have the same problems). Anything else?
Are there tools which can help me with this? For example, something that can list all dependencies and their frequency of use, so that I could clearly see outliers. Also is it safe to run cargo audit?

Would be glad for any input on the topic, thanks!

2 Likes

It's not build time specific, but you should be aware of GitHub - crev-dev/cargo-crev: A cryptographically verifiable code review system for the cargo (Rust) package manager. which provides general code reviews, including security reviews.

There's also IDE attacks where project configurations can load malicious attacks, but you generally get prompted whether you trust the code first by most IDEs now.

2 Likes

Note that the build script is not necessarily named build.rs, and can be arbitrarily overriden by the package.build key.

Additionally, any code (including build scripts and proc macros) can include_str!("~/.cargo/credentials.toml") or any other sensitive file on your system (it should be okay if you don't run the code though).

You can use cargo vendor to copy all dependency code into a convenient ./vendor directory to search through.

3 Likes