Update chrono to avoid RUSTSEC-2020-0159. Fixes mozilla#4590

mhammond · Mar 29, 2023 · 8ad3305 · 8ad3305
1 parent 7dddba5
commit 8ad3305
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 19 deletions.
diff --git a/.github/workflows/dependency-check.yaml b/.github/workflows/dependency-check.yaml
@@ -57,8 +57,6 @@ jobs:
             # Explanation for ignored issues:
             #  * RUSTSEC-2021-0019:  Soundness issues in `xcb`, a clipboard library we only use for examples.
             #                        There is currently no fixed version available.
-            #  * RUSTSEC-2020-0159:  A possible Segfault in `chrono`'s `localtime_r' invocation, at the time of this
-            #                        patch, there is no fixed versions available, but an issue is filed on chrono: https://github.com/chronotope/chrono/issues/602
             #  * RUSTSEC-2020-0071: Related to the one above, `chrono` pulls in a version of `time` that has the same problem, where invocations of
             #                       `localtime_r` could segfault, our code base doesn't trigger this, there is a PR on chrono that should
             #                       fix this: https://github.com/chronotope/chrono/pull/578
@@ -68,7 +66,7 @@ jobs:
             #                       version of `yaml-rust`, which will be released in `v3` and additionally, 
             #                       reading https://github.com/rustsec/advisory-db/issues/288, this is a false
             #                       positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`.
-            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
+            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
       - name: Check for any unrecorded changes in our dependency trees
         run: |
             cargo metadata --locked > /dev/null

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/components/nimbus/src/behavior.rs b/components/nimbus/src/behavior.rs
@@ -5,7 +5,7 @@
 
 use crate::error::{BehaviorError, NimbusError, Result};
 use crate::persistence::{Database, StoreId};
-use chrono::{DateTime, Datelike, Duration, Utc};
+use chrono::{DateTime, Datelike, Duration, TimeZone, Utc};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::collections::vec_deque::Iter;
@@ -131,14 +131,17 @@ impl IntervalData {
         };
         data.buckets.push_front(0);
         // Set the starting instant to Jan 1 00:00:00 in order to sync rotations
-        data.starting_instant = data
-            .starting_instant
-            .with_month(1)
-            .unwrap()
-            .with_day(1)
-            .unwrap()
-            .date()
-            .and_hms(0, 0, 0);
+        data.starting_instant = Utc.from_utc_datetime(
+            &data
+                .starting_instant
+                .with_month(1)
+                .unwrap()
+                .with_day(1)
+                .unwrap()
+                .date_naive()
+                .and_hms_opt(0, 0, 0)
+                .unwrap(),
+        );
         data
     }
 
@@ -233,8 +236,7 @@ impl SingleIntervalCounter {
             .interval
             .num_rotations(self.data.starting_instant, now)?;
         if rotations > 0 {
-            self.data.starting_instant =
-                self.data.starting_instant + self.config.interval.to_duration(rotations.into());
+            self.data.starting_instant += self.config.interval.to_duration(rotations.into());
             return self.data.rotate(rotations);
         }
         Ok(())

diff --git a/components/nimbus/src/lib.rs b/components/nimbus/src/lib.rs
@@ -372,7 +372,7 @@ impl NimbusClient {
         // we first check our context
         if let Some(context_installation_date) = self.app_context.installation_date {
             let res = DateTime::<Utc>::from_utc(
-                NaiveDateTime::from_timestamp(context_installation_date / 1_000, 0),
+                NaiveDateTime::from_timestamp_opt(context_installation_date / 1_000, 0).unwrap(),
                 Utc,
             );
             log::info!("[Nimbus] Retrieved date from Context: {}", res);

diff --git a/components/nimbus/src/tests/test_behavior.rs b/components/nimbus/src/tests/test_behavior.rs
@@ -1407,7 +1407,7 @@ mod event_store_tests {
                 then.weekday(),
                 same_week(now, then)
             );
-            now = now + one_day;
+            now += one_day;
         }
 
         Ok(())