Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update rust crate warp to v0.3.3 [security] #1031

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update rust crate warp to v0.3.3 [security] #1031

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 8, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
warp dependencies patch 0.3.1 -> 0.3.3

Warp vulnerable to Path Traversal via Improper validation of Windows paths

GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082

More information

Details

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

Severity

High

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Improper validation of Windows paths could lead to directory traversal attack

GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082

More information

Details

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths
meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed
and respond with the contents of c:/windows/web/screen/img101.png. Thus users
could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Release Notes

seanmonstar/warp (warp)

v0.3.3

Compare Source

  • Fixes:
    • Fix fs filters path sanitization to reject colons on Windows.

v0.3.2

Compare Source

  • Features:
    • Add Filter::then(), which is like Filter::map() in that it's infallible, but is async like Filter::and_then().
    • Add redirect::found() reply helper that returns 302 Found.
    • Add compression-brotli and compression-gzip cargo features to enable only the compression you need.
    • Allow HEAD requests to be served to fs::dir() filters.
    • Allow path!() with no arguments.
  • Fixes:
    • Update private dependencies Tungstenite and Multipart.
    • Replaces uses of futures with futures-util, which is a smaller dependency.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title chore(deps): update rust crate warp to v0.3.3 [security] chore(deps): update rust crate warp to v0.3.3 [security] - autoclosed Jan 9, 2024
@renovate renovate bot closed this Jan 9, 2024
@renovate renovate bot deleted the renovate/crate-warp-vulnerability branch January 9, 2024 03:01
@renovate renovate bot changed the title chore(deps): update rust crate warp to v0.3.3 [security] - autoclosed chore(deps): update rust crate warp to v0.3.3 [security] Jan 9, 2024
@renovate renovate bot reopened this Jan 9, 2024
@renovate renovate bot restored the renovate/crate-warp-vulnerability branch January 9, 2024 13:24
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 93d9a75 to 8a75ff4 Compare January 9, 2024 16:08
@renovate renovate bot changed the title chore(deps): update rust crate warp to v0.3.3 [security] fix(deps): update rust crate warp to v0.3.3 [security] Jan 9, 2024
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch 2 times, most recently from 58c50ab to 279c4b1 Compare January 10, 2024 17:05
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 279c4b1 to 01c8a70 Compare February 9, 2024 04:53
@renovate renovate bot changed the title fix(deps): update rust crate warp to v0.3.3 [security] fix(deps): update rust crate warp to v0.3.6 [security] Feb 9, 2024
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 01c8a70 to 2550608 Compare February 12, 2024 18:11
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 2550608 to 5c09c6f Compare March 29, 2024 16:20
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 5c09c6f to 1932471 Compare April 5, 2024 22:48
@renovate renovate bot changed the title fix(deps): update rust crate warp to v0.3.6 [security] fix(deps): update rust crate warp to v0.3.7 [security] Apr 5, 2024
@renovate
fix(deps): update rust crate warp to v0.3.3 [security]
9b3d90f 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/crate-warp-vulnerability branch from 1932471 to 9b3d90f Compare June 17, 2024 17:06
@renovate renovate bot changed the title fix(deps): update rust crate warp to v0.3.7 [security] fix(deps): update rust crate warp to v0.3.3 [security] Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants