{"id":"RUSTSEC-2021-0123","summary":"Converting `NSString` to a String Truncates at Null Bytes","details":"Methods of [`NSString`] for conversion to a string may return a partial result.\nSince they call [`CStr::from_ptr`] on a pointer to the string buffer, the\nstring is terminated at the first null byte, which might not be the end of the\nstring.\n\nIn addition to the vulnerable functions listed for this issue, the\nimplementations of [`Display`], [`PartialEq`], [`PartialOrd`], and [`ToString`]\nfor [`NSString`] are also affected, since they call those functions.\n\n## Impact\n\nSince [`NSString`] is commonly used as the type for paths by the [Foundation]\nframework, null byte truncation might allow for easily bypassing file extension\nchecks. For example, if a file name is provided by a user and validated to have\none of a specific set of extensions, with validation taking place before\ntruncation, an attacker can add an accepted extension after a null byte (e.g.,\n`file.exe\\0.txt`). After truncation, the file name used by the application\nwould be `file.exe`.\n\nIt would be better to generate unique names for files, instead of using\nuser-provided names, but not all applications take this approach.\n\n## Example:\n\n```rust\nlet string = NSString::from_str(\"null\\0byte\");\nprintln!(\"{}\", string);\n```\n\nThat example only prints the string \"null\".\n\n[`CStr::from_ptr`]: https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_ptr\n[`Display`]: https://doc.rust-lang.org/std/fmt/trait.Display.html\n[Foundation]: https://developer.apple.com/documentation/foundation\n[`NSString`]: https://docs.rs/fruity/0.2.0/fruity/foundation/struct.NSString.html\n[`PartialEq`]: https://doc.rust-lang.org/std/cmp/trait.PartialEq.html\n[`PartialOrd`]: https://doc.rust-lang.org/std/cmp/trait.PartialOrd.html\n[`ToString`]: https://doc.rust-lang.org/std/string/trait.ToString.html","aliases":["CVE-2021-43620","GHSA-h352-g5vw-3926"],"modified":"2023-11-08T04:07:11.140379Z","published":"2021-11-14T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/fruity"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0123.html"},{"type":"REPORT","url":"https://github.com/nvzqz/fruity/issues/14"}],"affected":[{"package":{"name":"fruity","ecosystem":"crates.io","purl":"pkg:cargo/fruity"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.1.0"},{"fixed":"0.3.0"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":["fruity::foundation::NSString::to_str","fruity::foundation::NSString::to_str_with_nul","fruity::foundation::NSString::to_string","fruity::foundation::NSString::to_string_with_nul"]},"affected_functions":null},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0123.json","categories":[],"informational":null}}],"schema_version":"1.7.3"}