Rust

Rust

By DeepSource

Extending string with another using chars RS-W1095
Bug risk

Extending one String with another is possible through .extend(s.chars()). However, this is better expressed using push_str(s).

Missing regex anchor RS-S1008
Security

It is unsafe to match untrusted input against regular expressions without ^ anchor. URLs with missing anchors can prove fatal as malicious inputs bypass the system's security checks.

Found occurrence of .filter(..).next() RS-W1023
Anti-pattern

.filter(..).next() is equivalent to .find(..). Prefer .find(..) for readability.

Found use of .clone() in assignment RS-W1070
Anti-pattern

Consider using .clone_from() instead of assigning the result of .clone().

clone_from() may perform better in some cases because some structs may have custom implementations of clone_from(), which improve performance by avoiding needless allocations.

Found redundant use of mem::replace RS-W1113
Anti-pattern

The std::mem module provides the take() method to acquire the current value and replace it with the default value of the same type. Prefer using this over mem::replace with T::default().

Found comparison with NaN RS-E1012
Bug risk
Autofix

Comparing a floating point with NaN using == or != is redundant. NaN cannot be compared to anything, not even itself. Use .is_nan() instead.

Found occurrence of Arc<RwLock<HashMap<K, V>>> RS-P1003
Performance

Arc<RwLock<HashMap<K, V>>> has performance concerns, the dashmap crate provides a much better alternative to concurrent hashmaps. Hence, Arc<RwLock<HashMap<K, V>>> is better off replaced by Arc<DashMap<K, V>> from the dashmap crate.

Found usage of Box::new(T::default()) RS-P1008
Performance

Box::new(T::default()) is overly verbose, involving two function calls instead of one. It can be better written as Box::<T>::default().

Potentially unsafe usage of Arc::get_mut RS-S1000
Security

In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.

Potentially unsafe usage of std::fs::remove_dir_all RS-S1002
Security

In the standard library in Rust before 1.58.1, there is a race condition that enables symlink following. An attacker could take advantage of this security vulnerability to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

Hardcoded temporary file or directory detected RS-S1003
Security

This issue is raised when a hardcoded temporary file or directory is detected. Creating and using insecure temporary files can leave the application vulnerable to attacks. Lack of uniqueness in temporary files allows attackers to predict the filename and inject dangerous data into the application through the temporary file.

Found usage of cryptographically insecure algorithm RS-S1004
Security

Certain cryptographic algorithms are known to be cryptographically insecure and should be avoided.

Insufficient RSA key size RS-S1005
Security

The strength of public-key-based cryptographic algorithm (like RSA) is determined by the time that it takes to derive the private key by using brute-force methods. 1024-bit keys are to be avoided since they are easy to brute-force. However, 2048-bit keys are said to be sufficient until 2030. Preferably use 4096-bit keys.

Found potentially incorrect use of bitwise XOR RS-S1007
Security
Autofix

The caret symbol (^) in some languages is used to represent exponentiation. However, in Rust, as in many C-like languages, it represents the bitwise exclusive-or (XOR) operation. It is recommended to carefully vet if the caret is being used for XOR or exponentiation.

Redirect to destination from possibly tainted source RS-S1009
Security

Redirects to a destination that is provided by the user or through an external function may be invalid or unsafe. Consider verifying the destination before firing the redirect.

Usage of DoS vulnerable version of regex crate RS-S1015
Security

The regex Rust library prior to version 1.5.5 is vulnerable to regular expression denial of service (ReDoS) attacks. Ensure that you use version 1.5.5 or above in Cargo.toml dependencies for regex.

Consider using .clamp(min, max), instead of .max(min).min(max) or .min(max).max(min) RS-W1069
Anti-pattern

Chained Ord::min and Ord::max functions can be replaced with Ord::clamp, which is also a more readable solution.

Found comparison with None RS-W1108
Anti-pattern
Autofix

Checking if a value is None via a direct comparison is usually inspired from other programming languages (e.g. foo is None in Python). In Rust, the Eq trait is used to perform the comparison, which is unneeded. The Option type provides the is_none() and is_some() methods which return a boolean, allowing for more idoimatic comparison.

Found redundant use of mem::replace RS-W1114
Bug risk

Using mem::replace(&mut _, mem::uninitialized()) or mem::replace(&mut _, mem::zeroed()) may lead to undefined behaviour even if the value is overwritten later, as the uninitialized value may remain in case of panic recovery.