Explain TOCTOU on the top of std::fs, and reference it in functions
#141847
+41
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
|
oh cool. I was hoping to see this rebased on latest so that #141832 would be included and it "refactored" that documentation. I don't know what's worth changing here without seeing it be a more aggressive cleanup of, at least, the free functions inside std/src/fs.rs |
|
I have referenced this paragraph from all the functions in fs.rs(actually all files in std, including path.rs) that mention TOCTOU, but I don't know if there are any that don't explicitly mention TOCTOU. I will refactor documents in #141832 after I wake up and merge the common parts. |
ChrisDenton
reviewed
Jun 1, 2025
Signed-off-by: xizheyin <xizheyin@smail.nju.edu.cn> Signed-off-by: xizheyin <xizheyin@smail.nju.edu.cn>
xizheyin
commented
Jun 2, 2025
Comment on lines
+2950
to
+2958
| /// See the [module-level TOCTOU explanation](self#time-of-check-to-time-of-use-toctou). | ||
| /// | ||
| /// On most platforms, `fs::remove_dir_all` protects against symlink TOCTOU races by default. | ||
| /// However, on the following platforms, this protection is not provided and the function should | ||
| /// not be used in security-sensitive contexts: | ||
| /// - **Miri**: Even when emulating targets where the underlying implementation will protect against | ||
| /// TOCTOU races, Miri will not do so. | ||
| /// - **Redox OS**: This function does not protect against TOCTOU races, as Redox does not implement | ||
| /// the required platform support to do so. |
There was a problem hiding this comment.
I refactored the contents in #141832. I moved the synbolic TOCTOU race example to the top of fs.rs, and only left which platforms should be taken care of.
Comment on lines
+7
to
+27
| //! | ||
| //! # Time of Check to Time of Use (TOCTOU) | ||
| //! | ||
| //! Many filesystem operations are subject to a race condition known as "Time of Check to Time of Use" | ||
| //! (TOCTOU). This occurs when a program checks a condition (like file existence or permissions) | ||
| //! and then uses the result of that check to make a decision, but the condition may have changed | ||
| //! between the check and the use. | ||
| //! | ||
| //! For example, checking if a file exists and then creating it if it doesn't is vulnerable to | ||
| //! TOCTOU - another process could create the file between your check and creation attempt. | ||
| //! | ||
| //! Another example is with symbolic links: when removing a directory, if another process replaces | ||
| //! the directory with a symbolic link between the check and the removal operation, the removal | ||
| //! might affect the wrong location. This is why operations like [`remove_dir_all`] need to use | ||
| //! atomic operations to prevent such race conditions. | ||
| //! | ||
| //! To avoid TOCTOU issues: | ||
| //! - Be aware that metadata operations (like [`metadata`] or [`symlink_metadata`]) may be affected by | ||
| //! changes made by other processes. | ||
| //! - Use atomic operations when possible (like [`File::create_new`] instead of checking existence then creating). | ||
| //! - Keep file open for the duration of operations. |
There was a problem hiding this comment.
Here,
- first explain what is
TOCTOU - present two examples including
createandremove_dir_all, from simple to complex. - give three notes to try to avoid
TOCTOU.
|
Hm. I know I filed the issues but I wasn't really expecting to get two PRs immediately and r?'d on them, I kinda expected them to hit the rotation, and this is a slightly more tricky PR to judge when biased by being the reporter. So I'm going to pass them onto the rotation, sorry! ^^; r? libs |
|
Failed to set assignee to
|
|
r? libs |
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
jhpratt
added a commit
to jhpratt/rust
that referenced
this pull request
Jul 1, 2025
Explain `TOCTOU` on the top of `std::fs`, and reference it in functions Fixes rust-lang#141837 r? `@workingjubilee`
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 12 pull requests Successful merges: - #141829 (Specialize sleep_until implementation for unix (except mac)) - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142568 (Use the .drectve section for exporting symbols from dlls on Windows) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143038 (avoid suggesting traits from private dependencies) - #143194 (fix bitcast of single-element SIMD vectors) - #143206 (Align attr fixes) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143260 (Use the correct export kind for __rust_alloc_error_handler_should_panic) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
jhpratt
added a commit
to jhpratt/rust
that referenced
this pull request
Jul 2, 2025
Explain `TOCTOU` on the top of `std::fs`, and reference it in functions Fixes rust-lang#141837 r? ``@workingjubilee``
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 11 pull requests Successful merges: - #141829 (Specialize sleep_until implementation for unix (except mac)) - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143038 (avoid suggesting traits from private dependencies) - #143194 (fix bitcast of single-element SIMD vectors) - #143206 (Align attr fixes) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143260 (Use the correct export kind for __rust_alloc_error_handler_should_panic) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
jhpratt
added a commit
to jhpratt/rust
that referenced
this pull request
Jul 2, 2025
Explain `TOCTOU` on the top of `std::fs`, and reference it in functions Fixes rust-lang#141837 r? ```@workingjubilee```
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 12 pull requests Successful merges: - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143038 (avoid suggesting traits from private dependencies) - #143194 (fix bitcast of single-element SIMD vectors) - #143206 (Align attr fixes) - #143231 (Suggest use another lifetime specifier instead of underscore lifetime) - #143232 ([COMPILETEST-UNTANGLE 3/N] Use "directives" consistently within compiletest) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143260 (Use the correct export kind for __rust_alloc_error_handler_should_panic) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jul 2, 2025
Explain `TOCTOU` on the top of `std::fs`, and reference it in functions Fixes rust-lang#141837 r? ````@workingjubilee````
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 11 pull requests Successful merges: - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143038 (avoid suggesting traits from private dependencies) - #143194 (fix bitcast of single-element SIMD vectors) - #143231 (Suggest use another lifetime specifier instead of underscore lifetime) - #143232 ([COMPILETEST-UNTANGLE 3/N] Use "directives" consistently within compiletest) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143260 (Use the correct export kind for __rust_alloc_error_handler_should_panic) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jul 2, 2025
Explain `TOCTOU` on the top of `std::fs`, and reference it in functions Fixes rust-lang#141837 r? `````@workingjubilee`````
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 10 pull requests Successful merges: - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143194 (fix bitcast of single-element SIMD vectors) - #143231 (Suggest use another lifetime specifier instead of underscore lifetime) - #143232 ([COMPILETEST-UNTANGLE 3/N] Use "directives" consistently within compiletest) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143260 (Use the correct export kind for __rust_alloc_error_handler_should_panic) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
that referenced
this pull request
Jul 2, 2025
Rollup of 9 pull requests Successful merges: - #141847 (Explain `TOCTOU` on the top of `std::fs`, and reference it in functions) - #142138 (Add `Vec::into_chunks`) - #142321 (Expose elf abi on ppc64 targets) - #142886 (ci: aarch64-gnu: Stop skipping `panic_abort_doc_tests`) - #143194 (fix bitcast of single-element SIMD vectors) - #143231 (Suggest use another lifetime specifier instead of underscore lifetime) - #143232 ([COMPILETEST-UNTANGLE 3/N] Use "directives" consistently within compiletest) - #143258 (Don't recompute `DisambiguatorState` for every RPITIT in trait definition) - #143274 (ci: support optional jobs) r? `@ghost` `@rustbot` modify labels: rollup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #141837
r? @workingjubilee