Rust stdlib vulnerability in fs::remove_dir_all

January 20, 2022

Rust stdlib vulnerability in fs::remove_dir_all

Earlier today, the Rust Security Response WG published a security advisory related to the fs::remove_dir_all standard library function. The team was notified that this function is vulnerable to a Race Condition Enabling Link Following (CWE-363).

Understanding the std::fs::remove_dir_all vulnerability

The remove_dir_all function takes a path as its parameter and removes a directory at this path, after removing all its contents recursively. You would use the function like this, for instance:

use std::fs;
fn main() -> std::io::Result<()> {
    fs::remove_dir_all("/home/to-delete")?;
    Ok(())
}

According to the official documentation, the function does not follow symbolic links, and it simply removes the symbolic link if it sees one. However, as the security advisory found, this behavior was implemented incorrectly. From the official Rust blog post:

[...] that check was implemented incorrectly in the standard library, resulting in a TOCTOU (Time-of-check Time-of-use) race condition. Instead of telling the system not to follow symlinks, the standard library first checked whether the thing it was about to delete was a symlink, and otherwise, it would proceed to recursively delete the directory. This exposed a race condition: an attacker could create a directory and replace it with a symlink between the check and the actual deletion. While this attack likely won't work the first time it's attempted, in our experimentation we were able to reliably perform it within a couple of seconds.

Rust versions 1.0.0 through 1.58.0 are affected by this vulnerability. The Rust team will release Rust 1.58.1 later today, which will include mitigations for it. The Rust team has recommended that all users update to Rust 1.58.1 at the earliest to ensure this vulnerability is fixed.

What DeepSource is doing about it

We’ve added a new issue in our Rust Analyzer to detect this vulnerability — RS-S1002. If you’re on a vulnerable version of Rust, DeepSource will show you where you’re using this method in your code. For all new changes proposed through pull requests, DeepSource will alert you if a change makes your code vulnerable.

If you’re a DeepSource user and have the Rust Analyzer activated on your project, we’ve already re-triggered analysis on your project. Open the Issues tab of your repository on DeepSource, and check the Security category to see if it was detected in your code.


If you have any questions or need help, feel free to ask in our Discord.

Get started with DeepSource

DeepSource is free forever for small teams and open-source projects. Start analyzing your code in less than 2 minutes.

Choose an account
Newsletter

Read product updates, company announcements, how we build DeepSource, what we think about good code, and more.