sonatype-2021-4646

[acim]

cargo pants reports the following vulnerability:

Vulnerable Dependencies

[1/1] pkg:cargo/rust-embed-impl@6.2.0
1 known vulnerability found

Vulnerability Title: 1 vulnerability found
╭─────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ID │ sonatype-2021-4646 │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Description │ 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request │
│ │ for this information using your registered account │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Score │ 7.8 │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Vector │ CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Reference │ https://ossindex.sonatype.org │
╰─────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Inverse Dependency graph
rust-embed-impl 6.2.0 (git+https://github.com/pyrossh/rust-embed#451568cd0c93a9fd363829f54c17785e432bf4e8)
└── rust-embed 6.4.0 (git+https://github.com/pyrossh/rust-embed#451568cd0c93a9fd363829f54c17785e432bf4e8)

[acim]

[sonatype-2021-4646] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

rust-embed-impl - Path Traversal

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[pyrossh]

Hmm I don't know if the typical scenario ../../../etc/passwd applies here as well since we don't have a filesystem here. But I guess we could normalize the input . I'm guessing this vulnerability happens or is exposed during development as that is when we use the filesystem to serve the files.

Any ideas, should we normalize the input path and remove ../../ at the beginning in this case?
@AzureMarker

[acim]

Maybe check if canonical path starts with crate root? If not, reject it.

[AzureMarker]

I thought we already patched this?

[pyrossh]

Yep just saw the code. It was implemented by you in this commit e1720ce

[acim]

Can it just be that they have to recheck the project again? Maybe you should try to contact them as maintainers.

[AzureMarker]

@pyrossh I think the issue is that we didn't release the impl crate for the last two versions. It's still on 6.2.0:

Edit: That or they mixed up the impl vs main crate versions.

[pyrossh]

@AzureMarker the latest impl crate version is v6.2.0. The crate versions don't need to match. I tried it myself and got the same. I have added a pants-ignore file for this vulnerability. We actually fixed this issue and published it for v6.2.0 of the impl crate.
6aafae6

[AzureMarker]

I think the confusion was that 6.2.0 of the main crate did have the bug (according to the changelog), but it was fixed in the 6.2.0 version of the impl crate.