fix(toml): Reject registry-index in user-written manifests

moabo3li · moabo3li · commit ab36df1618a0 · 2025-11-26T00:49:13.000+02:00
diff --git a/src/cargo/core/source_id.rs b/src/cargo/core/source_id.rs
@@ -387,6 +387,11 @@ impl SourceId {
         matches!(self.inner.kind, SourceKind::Git(_))
     }
 
+    /// Returns `true` if this source is from a directory.
+    pub fn is_directory(self) -> bool {
+        self.inner.kind == SourceKind::Directory
+    }
+
     /// Creates an implementation of `Source` corresponding to this ID.
     ///
     /// * `yanked_whitelist` --- Packages allowed to be used, even if they are yanked.
diff --git a/src/cargo/util/toml/mod.rs b/src/cargo/util/toml/mod.rs
@@ -1276,6 +1276,40 @@ pub fn to_real_manifest(
     gctx: &GlobalContext,
     warnings: &mut Vec<String>,
     _errors: &mut Vec<String>,
+) -> CargoResult<Manifest> {
+    to_real_manifest_impl(
+        contents,
+        document,
+        original_toml,
+        normalized_toml,
+        features,
+        workspace_config,
+        source_id,
+        manifest_file,
+        is_embedded,
+        gctx,
+        warnings,
+        _errors,
+        false,
+    )
+}
+
+/// Internal implementation with cargo_generated parameter
+#[tracing::instrument(skip_all)]
+fn to_real_manifest_impl(
+    contents: String,
+    document: toml::Spanned<toml::de::DeTable<'static>>,
+    original_toml: manifest::TomlManifest,
+    normalized_toml: manifest::TomlManifest,
+    features: Features,
+    workspace_config: WorkspaceConfig,
+    source_id: SourceId,
+    manifest_file: &Path,
+    is_embedded: bool,
+    gctx: &GlobalContext,
+    warnings: &mut Vec<String>,
+    _errors: &mut Vec<String>,
+    cargo_generated: bool,
 ) -> CargoResult<Manifest> {
     let package_root = manifest_file.parent().unwrap();
     if !package_root.is_dir() {
@@ -1582,6 +1616,7 @@ pub fn to_real_manifest(
         warnings,
         platform: None,
         root: package_root,
+        cargo_generated,
     };
     gather_dependencies(
         &mut manifest_ctx,
@@ -1977,6 +2012,7 @@ fn to_virtual_manifest(
             warnings,
             platform: None,
             root,
+            cargo_generated: false,
         };
         (
             replace(&normalized_toml, &mut manifest_ctx)?,
@@ -2045,6 +2081,7 @@ struct ManifestContext<'a, 'b> {
     warnings: &'a mut Vec<String>,
     platform: Option<Platform>,
     root: &'a Path,
+    cargo_generated: bool,
 }
 
 #[tracing::instrument(skip_all)]
@@ -2175,6 +2212,7 @@ pub(crate) fn to_dependency<P: ResolveToPath + Clone>(
             warnings,
             platform,
             root,
+            cargo_generated: false,
         },
         kind,
     )
@@ -2292,6 +2330,27 @@ fn detailed_dep_to_dependency<P: ResolveToPath + Clone>(
         dep.set_registry_id(registry_id);
     }
     if let Some(registry_index) = &orig.registry_index {
+        // `registry-index` is for internal use only.
+        // It should not be used in user-written manifests as it bypasses the need for .cargo/config.toml configuration.
+
+        if !manifest_ctx.source_id.is_registry()
+            && !manifest_ctx.source_id.is_directory()
+            && !manifest_ctx.cargo_generated
+        {
+            // Check if this is a packaged manifest (in target/package or target\package)
+            // by checking if the path contains the pattern
+            let path_str: Cow<'_, str> = manifest_ctx.root.to_string_lossy();
+            let is_packaged_manifest =
+                path_str.contains("target/package") || path_str.contains("target\\package");
+
+            if !is_packaged_manifest {
+                bail!(
+                    "dependency ({}) specification uses `registry-index` which is for internal use only\n\
+                    help: use `registry = \"<name>\"` and configure the registry in `.cargo/config.toml`",
+                    name_in_toml
+                );
+            }
+        }
         let url = registry_index.into_url()?;
         let registry_id = SourceId::for_registry(&url)?;
         dep.set_registry_id(registry_id);
@@ -2936,7 +2995,7 @@ pub fn prepare_for_publish(
     let mut warnings = Default::default();
     let mut errors = Default::default();
     let gctx = ws.gctx();
-    let manifest = to_real_manifest(
+    let manifest = to_real_manifest_impl(
         contents.to_owned(),
         document.clone(),
         original_toml,
@@ -2949,6 +3008,7 @@ pub fn prepare_for_publish(
         gctx,
         &mut warnings,
         &mut errors,
+        true, // cargo_generated - this is a Cargo-generated manifest
     )?;
     let new_pkg = Package::new(manifest, me.manifest_path());
     Ok(new_pkg)
diff --git a/tests/testsuite/alt_registry.rs b/tests/testsuite/alt_registry.rs
@@ -285,18 +285,14 @@ fn registry_index_not_allowed_in_user_manifests() {
         .file("src/lib.rs", "")
         .build();
 
-    // FIXME: This currently allows `registry-index` which is a bug.
-    // It should error during manifest parsing because `registry-index` is for internal use only.
-    // Instead, it tries to fetch from the URL and fails with a network error.
     p.cargo("check")
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[UPDATING] `[ROOT]/alternative-registry` index
-[LOCKING] 1 package to latest compatible version
-[DOWNLOADING] crates ...
-[DOWNLOADED] bar v0.1.0 (registry `[ROOT]/alternative-registry`)
-[CHECKING] bar v0.1.0 (registry `[ROOT]/alternative-registry`)
-[CHECKING] foo v0.0.0 ([ROOT]/foo)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+[ERROR] failed to parse manifest at `[ROOT]/foo/Cargo.toml`
+
+Caused by:
+  dependency (bar) specification uses `registry-index` which is for internal use only
+  [HELP] use `registry = "<name>"` and configure the registry in `.cargo/config.toml`
 
 "#]])
         .run();
diff --git a/tests/testsuite/publish.rs b/tests/testsuite/publish.rs
@@ -4628,26 +4628,14 @@ fn registry_index_not_allowed_in_publish() {
         .file("src/main.rs", "fn main() {}")
         .build();
 
-    // FIXME: This currently allows `registry-index` which is a bug.
-    // It should error during manifest parsing because `registry-index` is for internal use only.
-    // Instead, it actually works and the package can be published.
     p.cargo("publish --registry alternative")
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[UPDATING] `alternative` index
-[PACKAGING] foo v0.0.1 ([ROOT]/foo)
-[UPDATING] `[ROOT]/registry` index
-[PACKAGED] 4 files, [FILE_SIZE]B ([FILE_SIZE]B compressed)
-[VERIFYING] foo v0.0.1 ([ROOT]/foo)
-[DOWNLOADING] crates ...
-[DOWNLOADED] bar v0.1.0 (registry `[ROOT]/registry`)
-[COMPILING] bar v0.1.0 (registry `[ROOT]/registry`)
-[COMPILING] foo v0.0.1 ([ROOT]/foo/target/package/foo-0.0.1)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
-[UPLOADING] foo v0.0.1 ([ROOT]/foo)
-[UPLOADED] foo v0.0.1 to registry `alternative`
-[NOTE] waiting for foo v0.0.1 to be available at registry `alternative`
-[HELP] you may press ctrl-c to skip waiting; the crate should be available shortly
-[PUBLISHED] foo v0.0.1 at registry `alternative`
+[ERROR] failed to parse manifest at `[ROOT]/foo/Cargo.toml`
+
+Caused by:
+  dependency (bar) specification uses `registry-index` which is for internal use only
+  [HELP] use `registry = "<name>"` and configure the registry in `.cargo/config.toml`
 
 "#]])
         .run();
