Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sb_fs): make s3 fs proxy capability to unsafe feature #448

Merged
merged 1 commit into from
Nov 23, 2024
Merged

fix(sb_fs): make s3 fs proxy capability to unsafe feature #448

merged 1 commit into from
Nov 23, 2024

Conversation

nyannyacha
Copy link
Collaborator

What kind of change does this PR introduce?

Bug fix

Description

According to dependabot, <= webpki@0.22.1 is vulnerable to CPU denial of service attacks.
However, this version is only used for debugging and development purposes by hyper-proxy, so it can be tolerated.

Ultimately, this is a problem because aws-rust-sdk does not currently provide an appropriate hyper v1 connector, and if the issue is resolved (which does not seem likely to be resolved in the short term), the vulnerability can be completely resolved by upgrading the connector version.

The proxy feature is used very limitedly, so I am adding a feature gate to make it available only through the cargo feature to clarify its meaning.

│   ├── hyper-proxy v0.9.1
│   │   ├── bytes v1.6.1
│   │   ├── futures v0.3.30 (*)
│   │   ├── headers v0.3.9 (*)
│   │   ├── http v0.2.11 (*)
│   │   ├── hyper v0.14.28 (*)
│   │   ├── hyper-rustls v0.22.1
│   │   │   ├── ct-logs v0.8.0
│   │   │   │   └── sct v0.6.1
│   │   │   │       ├── ring v0.16.20
│   │   │   │       │   ├── libc v0.2.153
│   │   │   │       │   ├── once_cell v1.19.0
│   │   │   │       │   ├── spin v0.5.2
│   │   │   │       │   └── untrusted v0.7.1
│   │   │   │       │   [build-dependencies]
│   │   │   │       │   └── cc v1.2.1 (*)
│   │   │   │       └── untrusted v0.7.1
│   │   │   ├── futures-util v0.3.30 (*)
│   │   │   ├── hyper v0.14.28 (*)
│   │   │   ├── log v0.4.20
│   │   │   ├── rustls v0.19.1
│   │   │   │   ├── base64 v0.13.1
│   │   │   │   ├── log v0.4.20
│   │   │   │   ├── ring v0.16.20 (*)
│   │   │   │   ├── sct v0.6.1 (*)
│   │   │   │   └── webpki v0.21.4 👈
│   │   │   │       ├── ring v0.16.20 (*)
│   │   │   │       └── untrusted v0.7.1
│   │   │   ├── rustls-native-certs v0.5.0
│   │   │   │   ├── openssl-probe v0.1.5
│   │   │   │   └── rustls v0.19.1 (*)
│   │   │   ├── tokio v1.36.0 (*)
│   │   │   ├── tokio-rustls v0.22.0
│   │   │   │   ├── rustls v0.19.1 (*)
│   │   │   │   ├── tokio v1.36.0 (*)
│   │   │   │   └── webpki v0.21.4 (*) 👈
│   │   │   └── webpki v0.21.4 (*) 👈
│   │   ├── rustls-native-certs v0.5.0 (*)
│   │   ├── tokio v1.36.0 (*)
│   │   ├── tokio-rustls v0.22.0 (*)
│   │   ├── tower-service v0.3.2
│   │   └── webpki v0.21.4 (*) 👈

Refs:

1: https://github.com/supabase/edge-runtime/security/dependabot/18
2: awslabs/aws-sdk-rust#169
3: tafia/hyper-proxy#38

@nyannyacha nyannyacha merged commit e19cac9 into supabase:main Nov 23, 2024
3 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 1.62.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@nyannyacha
Copy link
Collaborator Author

https://github.com/supabase/edge-runtime/security/dependabot/18 has been dismissed
cc @laktek

@nyannyacha nyannyacha deleted the fix-make-s3fs-proxy-unsafe branch November 23, 2024 01:34
This was referenced Nov 24, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laktek laktek laktek approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nyannyacha @laktek