RUSTSEC-2020-0013
on 2020-04-24: fake-static allows converting any reference into a
'static reference
This review is from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.
0.1.0 (current) Thoroughness: None Understanding: None
by kornelski on 2020-05-13
This exploits a bug in the compiler. Don't even think of using it.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open fake-static. Alternatively, you can download the tarball of fake-static v0.1.0 or view the source online.
fake-static allows converting a reference with any lifetime into a reference with
'staticlifetime without theunsafekeyword.Internally, this crate does not use unsafe code, it instead exploits a soundness bug in rustc:
https://github.com/rust-lang/rust/issues/25860
GHSA-8xw8-mmqv-frqq