Verify that src dir was not modified by build.rs during publish.

author boxdot <d@zerovolt.org>

Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)

committer boxdot <d@zerovolt.org>

Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)
author boxdot <d@zerovolt.org>
Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)
committer boxdot <d@zerovolt.org>
Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)
diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs

index f9de8286824c6bba08059bffe46eea4653ba74af..037d53ba9161b5d7819222c1410d0ea401701393 100644 (file)
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -330,6 +330,7 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
      let id = SourceId::for_path(&dst)?;
      let mut src = PathSource::new(&dst, &id, ws.config());
      let new_pkg = src.root_package()?;
+    let pkg_fingerprint = src.fingerprint(&new_pkg)?;
      let ws = Workspace::ephemeral(new_pkg, config, None, true)?;
  
      ops::compile_ws(
@@ -352,6 +353,15 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
          Arc::new(DefaultExecutor),
      )?;
  
+    // Check that build.rs didn't modify any files in the src directory.
+    let ws_fingerprint = src.fingerprint(ws.current()?)?;
+    if pkg_fingerprint != ws_fingerprint {
+        bail!(
+            "Source directory was modified by build.rs during cargo publish. \
+             Build scripts should not modify anything outside of OUT_DIR."
+        )
+    }
+
      Ok(())
  }
author	boxdot <d@zerovolt.org>
	Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)
committer	boxdot <d@zerovolt.org>
	Mon, 28 May 2018 10:06:03 +0000 (12:06 +0200)