Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][RUST] Vulnerability in indirect dependency of rust-server #16066

Open
4 of 5 tasks
faro-dr opened this issue Jul 11, 2023 · 0 comments
Open
4 of 5 tasks

[BUG][RUST] Vulnerability in indirect dependency of rust-server #16066

faro-dr opened this issue Jul 11, 2023 · 0 comments
Labels
Issue: Bug

Comments

@faro-dr
Copy link
Contributor

faro-dr commented Jul 11, 2023

Bug Report Checklist

  • Have you provided a full/minimal spec to reproduce the issue?
  • Have you validated the input using an OpenAPI validator (example)?
  • Have you tested with the latest master to confirm the issue still exists?
  • Have you searched for related issues/PRs?
  • What's the actual output vs expected output?
Description

The rust-server generator has an indirect dependency on the time crate in version 0.1 which is affected by this vulnerability: https://rustsec.org/advisories/RUSTSEC-2020-0071

This is the dependency tree:

time v0.1.45
└── chrono v0.4.26
openapi-generator version

6.6.0, but I have verified that the issue persists with the Cargo.mustache from the current main branch

OpenAPI declaration file content or url

The dependency is hard-coded in Cargo.mustache and thus any specification will reproduce the issue.

Generation Details

Generation is done in a script along the following lines

OPENAPI_GENERATOR_VERSION="6.6.0" \
OPENAPI_GENERATOR_DOWNLOAD_CACHE_DIR="$openapi_cachedir" \
$openapi_cli generate \
    -i "${api_spec}" \
    -o "${out_dir}" \
    -g rust-server \
    --additional-properties=packageName="$package_name"
Steps to reproduce

Generate the code, include the server in a Rust project, then run cargo deny --all-features check which fails due to a security vulnerability in time 0.1.45. The expected result is that there are no security vulnerabilities.

Related issues/PRs

I haven't found any but have reported a similar issue here: Metaswitch/swagger-rs#169

Suggest a fix

A fix for this situation (indirect dependency through chrono is suggested here: https://rustsec.org/advisories/RUSTSEC-2020-0071
Applied to rust-server this would be the fix which I have tested successfully:

diff --git a/modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache b/modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache
index b0df1bc51bf..5d4e393de2f 100644
--- a/modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache
+++ b/modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache
@@ -81,7 +81,7 @@ openssl = {version = "0.10", optional = true }
 [dependencies]
 # Common
 async-trait = "0.1.24"
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", default-features = false, features = ["serde", "clock"] }
 futures = "0.3"
 swagger = { version = "6.1", features = ["serdejson", "server", "client", "tls", "tcp"] }
 log = "0.4.0"

I can provide a pull request if desirable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@faro-dr