Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update rust crate warp to 0.3.7 [security] - autoclosed #94

Closed
wants to merge 1 commit into from
Closed

fix(deps): update rust crate warp to 0.3.7 [security] - autoclosed #94

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 1, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
warp dependencies patch 0.3 -> 0.3.7

Warp vulnerable to Path Traversal via Improper validation of Windows paths

GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082

More information

Details

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

Severity

High

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Improper validation of Windows paths could lead to directory traversal attack

GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082

More information

Details

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths
meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed
and respond with the contents of c:/windows/web/screen/img101.png. Thus users
could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Release Notes

seanmonstar/warp (warp)

v0.3.7

Compare Source

  • Features:
    • Add ecc private key support to tls() config.
  • Fixes:
    • Several dependency upgrades.

v0.3.6

Compare Source

  • Features:
    • Add ability to pass None to multipart::form().max_length().
    • Implement Reply for Result<impl Reply, impl Reply>.
    • Make multipart::Part::content_type() return the full mime string.
    • Add TlsServer::try_bind_with_graceful_shutdown().
  • Fixes:
    • Updated tungstenite and rustls dependencies for security fixes.

v0.3.5

Compare Source

  • Fixes:
    • multipart filters now use multer dependency, fixing some streaming bugs.
    • Rejection::into_response() is significantly faster.

v0.3.4

Compare Source

  • Fixes:
    • multipart::Part data is now streamed instead of buffered.
    • Update dependency used for multipart filters.

v0.3.3

Compare Source

  • Fixes:
    • Fix fs filters path sanitization to reject colons on Windows.

v0.3.2

Compare Source

  • Features:
    • Add Filter::then(), which is like Filter::map() in that it's infallible, but is async like Filter::and_then().
    • Add redirect::found() reply helper that returns 302 Found.
    • Add compression-brotli and compression-gzip cargo features to enable only the compression you need.
    • Allow HEAD requests to be served to fs::dir() filters.
    • Allow path!() with no arguments.
  • Fixes:
    • Update private dependencies Tungstenite and Multipart.
    • Replaces uses of futures with futures-util, which is a smaller dependency.

v0.3.1

Compare Source

  • Features:
    • Add pong constructor to websocket messages.
    • Add redirect::see_other and redirect::permanent helpers.
  • Fixes:
    • Fix fs filters sometimes having an off-by-one error with range requests.
    • Fix CORS to allow spaces when checking Access-Control-Request-Headers.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "after 8pm,before 6am" in timezone America/Denver.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the rust label May 1, 2024
@renovate renovate bot changed the title fix(deps): update rust crate warp to 0.3.7 [security] fix(deps): update rust crate warp to 0.3.7 [security] - autoclosed May 5, 2024
@renovate renovate bot closed this May 5, 2024
@renovate renovate bot deleted the renovate/crate-warp-vulnerability branch May 5, 2024 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rust
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants