fix(toml): Reject registry-index in user-written manifests

moabo3li · moabo3li · commit fcbe47d9332f · 2025-11-24T17:26:21.000+02:00
diff --git a/src/cargo/util/toml/mod.rs b/src/cargo/util/toml/mod.rs
@@ -1276,6 +1276,40 @@ pub fn to_real_manifest(
     gctx: &GlobalContext,
     warnings: &mut Vec<String>,
     _errors: &mut Vec<String>,
+) -> CargoResult<Manifest> {
+    to_real_manifest_impl(
+        contents,
+        document,
+        original_toml,
+        normalized_toml,
+        features,
+        workspace_config,
+        source_id,
+        manifest_file,
+        is_embedded,
+        gctx,
+        warnings,
+        _errors,
+        false,
+    )
+}
+
+/// Internal implementation with cargo_generated parameter
+#[tracing::instrument(skip_all)]
+fn to_real_manifest_impl(
+    contents: String,
+    document: toml::Spanned<toml::de::DeTable<'static>>,
+    original_toml: manifest::TomlManifest,
+    normalized_toml: manifest::TomlManifest,
+    features: Features,
+    workspace_config: WorkspaceConfig,
+    source_id: SourceId,
+    manifest_file: &Path,
+    is_embedded: bool,
+    gctx: &GlobalContext,
+    warnings: &mut Vec<String>,
+    _errors: &mut Vec<String>,
+    cargo_generated: bool,
 ) -> CargoResult<Manifest> {
     let package_root = manifest_file.parent().unwrap();
     if !package_root.is_dir() {
@@ -1582,6 +1616,7 @@ pub fn to_real_manifest(
         warnings,
         platform: None,
         root: package_root,
+        cargo_generated,
     };
     gather_dependencies(
         &mut manifest_ctx,
@@ -1977,6 +2012,7 @@ fn to_virtual_manifest(
             warnings,
             platform: None,
             root,
+            cargo_generated: false,
         };
         (
             replace(&normalized_toml, &mut manifest_ctx)?,
@@ -2045,6 +2081,7 @@ struct ManifestContext<'a, 'b> {
     warnings: &'a mut Vec<String>,
     platform: Option<Platform>,
     root: &'a Path,
+    cargo_generated: bool,
 }
 
 #[tracing::instrument(skip_all)]
@@ -2175,6 +2212,7 @@ pub(crate) fn to_dependency<P: ResolveToPath + Clone>(
             warnings,
             platform,
             root,
+            cargo_generated: false,
         },
         kind,
     )
@@ -2292,6 +2330,24 @@ fn detailed_dep_to_dependency<P: ResolveToPath + Clone>(
         dep.set_registry_id(registry_id);
     }
     if let Some(registry_index) = &orig.registry_index {
+        // `registry-index` is for internal use only.
+        // It should not be used in user-written manifests as it bypasses the need for .cargo/config.toml configuration.
+
+        if !manifest_ctx.source_id.is_registry() && !manifest_ctx.cargo_generated {
+            // Check if this is a packaged manifest (in target/package or target\package)
+            // by checking if the path contains the pattern
+            let path_str = manifest_ctx.root.to_string_lossy();
+            let is_packaged_manifest =
+                path_str.contains("target/package") || path_str.contains("target\\package");
+
+            if !is_packaged_manifest {
+                bail!(
+                    "dependency ({}) specification uses `registry-index` which is for internal use only\n\
+                    help: use `registry = \"<name>\"` and configure the registry in `.cargo/config.toml`",
+                    name_in_toml
+                );
+            }
+        }
         let url = registry_index.into_url()?;
         let registry_id = SourceId::for_registry(&url)?;
         dep.set_registry_id(registry_id);
@@ -2936,7 +2992,7 @@ pub fn prepare_for_publish(
     let mut warnings = Default::default();
     let mut errors = Default::default();
     let gctx = ws.gctx();
-    let manifest = to_real_manifest(
+    let manifest = to_real_manifest_impl(
         contents.to_owned(),
         document.clone(),
         original_toml,
@@ -2949,6 +3005,7 @@ pub fn prepare_for_publish(
         gctx,
         &mut warnings,
         &mut errors,
+        true, // cargo_generated - this is a Cargo-generated manifest
     )?;
     let new_pkg = Package::new(manifest, me.manifest_path());
     Ok(new_pkg)
diff --git a/tests/testsuite/alt_registry.rs b/tests/testsuite/alt_registry.rs
@@ -282,34 +282,14 @@ fn registry_index_not_allowed_in_user_manifests() {
         .file("src/lib.rs", "")
         .build();
 
-    // FIXME: This currently allows `registry-index` which is a bug.
-    // It should error during manifest parsing because `registry-index` is for internal use only.
-    // Instead, it tries to fetch from the URL and fails with a network error.
     p.cargo("check")
         .with_status(101)
         .with_stderr_data(str![[r#"
-[UPDATING] `https://example.com/index` index
-[WARNING] spurious network error (3 tries remaining): unexpected http status code: 404; class=Http (34)
-[WARNING] spurious network error (2 tries remaining): unexpected http status code: 404; class=Http (34)
-[WARNING] spurious network error (1 try remaining): unexpected http status code: 404; class=Http (34)
-[ERROR] failed to get `bar` as a dependency of package `foo v0.0.0 ([ROOT]/foo)`
-
-Caused by:
-  failed to load source for dependency `bar`
-
-Caused by:
-  Unable to update registry `https://example.com/index`
-
-Caused by:
-  failed to fetch `https://example.com/index`
-
-Caused by:
-  network failure seems to have happened
-  if a proxy or similar is necessary `net.git-fetch-with-cli` may help here
-  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli
+[ERROR] failed to parse manifest at `[ROOT]/foo/Cargo.toml`
 
 Caused by:
-  unexpected http status code: 404; class=Http (34)
+  dependency (bar) specification uses `registry-index` which is for internal use only
+  [HELP] use `registry = "<name>"` and configure the registry in `.cargo/config.toml`
 
 "#]])
         .run();
diff --git a/tests/testsuite/publish.rs b/tests/testsuite/publish.rs
@@ -4623,39 +4623,14 @@ fn registry_index_not_allowed_in_publish() {
         .file("src/main.rs", "fn main() {}")
         .build();
 
-    // FIXME: This currently allows `registry-index` which is a bug.
-    // It should error during manifest parsing because `registry-index` is for internal use only.
-    // Instead, it tries to fetch from the URL and fails with a network error.
     p.cargo("publish --registry alternative")
         .with_status(101)
         .with_stderr_data(str![[r#"
-[UPDATING] `alternative` index
-[PACKAGING] foo v0.0.1 ([ROOT]/foo)
-[UPDATING] `https://example.com/index` index
-[WARNING] spurious network error (3 tries remaining): unexpected http status code: 404; class=Http (34)
-[WARNING] spurious network error (2 tries remaining): unexpected http status code: 404; class=Http (34)
-[WARNING] spurious network error (1 try remaining): unexpected http status code: 404; class=Http (34)
-[ERROR] failed to prepare local package for uploading
-
-Caused by:
-  failed to get `bar` as a dependency of package `foo v0.0.1 ([ROOT]/foo)`
-
-Caused by:
-  failed to load source for dependency `bar`
-
-Caused by:
-  Unable to update registry `https://example.com/index`
-
-Caused by:
-  failed to fetch `https://example.com/index`
-
-Caused by:
-  network failure seems to have happened
-  if a proxy or similar is necessary `net.git-fetch-with-cli` may help here
-  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli
+[ERROR] failed to parse manifest at `[ROOT]/foo/Cargo.toml`
 
 Caused by:
-  unexpected http status code: 404; class=Http (34)
+  dependency (bar) specification uses `registry-index` which is for internal use only
+  [HELP] use `registry = "<name>"` and configure the registry in `.cargo/config.toml`
 
 "#]])
         .run();
