From 98a0a1fbcc9667624e713f58633e746cdc240d5a Mon Sep 17 00:00:00 2001 From: Saito Date: Tue, 25 Oct 2022 15:59:31 -0500 Subject: [PATCH 1/6] Avoid the chrono crate depending on the time crate This commit is in response to RUSTSEC-2020-0071 where there is a potential segfault in the time crate. The aws-smithy-types-convert crate now disables the default features of the chrono crate so that it will not depend on the time crate. --- rust-runtime/aws-smithy-types-convert/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust-runtime/aws-smithy-types-convert/Cargo.toml b/rust-runtime/aws-smithy-types-convert/Cargo.toml index 552c3e106a..c9ffbd22a0 100644 --- a/rust-runtime/aws-smithy-types-convert/Cargo.toml +++ b/rust-runtime/aws-smithy-types-convert/Cargo.toml @@ -13,7 +13,7 @@ convert-time = ["aws-smithy-types", "time"] [dependencies] aws-smithy-types = { path = "../aws-smithy-types", optional = true } -chrono = { version = "0.4.19", optional = true } +chrono = { version = "0.4.19", optional = true, default-features = false, features = ["std"] } time = { version = "0.3.4", optional = true } [package.metadata.docs.rs] From 1d22ce56bd2b6197856078f3f9e7f56c88a986ba Mon Sep 17 00:00:00 2001 From: Saito Date: Tue, 25 Oct 2022 16:04:32 -0500 Subject: [PATCH 2/6] Depend on lambda_http without RUSTSEC-2020-0071 This commit updates the version of lambda_http used by aws-smithy-http-server and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of lambda_http used the chrono crate in a way that exposed a security issue described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those two crates do not exhibit vulnerabilities as reported by cargo audit. --- rust-runtime/aws-smithy-http-server-python/Cargo.toml | 2 +- rust-runtime/aws-smithy-http-server/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rust-runtime/aws-smithy-http-server-python/Cargo.toml b/rust-runtime/aws-smithy-http-server-python/Cargo.toml index 52e1e537af..99482c2a87 100644 --- a/rust-runtime/aws-smithy-http-server-python/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server-python/Cargo.toml @@ -22,7 +22,7 @@ bytes = "1.2" futures = "0.3" http = "0.2" hyper = { version = "0.14.20", features = ["server", "http1", "http2", "tcp", "stream"] } -lambda_http = "0.6.0" +lambda_http = "0.7.0" num_cpus = "1.13.1" parking_lot = "0.12.1" pin-project-lite = "0.2" diff --git a/rust-runtime/aws-smithy-http-server/Cargo.toml b/rust-runtime/aws-smithy-http-server/Cargo.toml index 055b7aab8c..c0af91db55 100644 --- a/rust-runtime/aws-smithy-http-server/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server/Cargo.toml @@ -26,7 +26,7 @@ futures-util = { version = "0.3", default-features = false } http = "0.2" http-body = "0.4" hyper = { version = "0.14.12", features = ["server", "http1", "http2", "tcp", "stream"] } -lambda_http = "0.6.0" +lambda_http = "0.7.0" mime = "0.3" nom = "7" pin-project-lite = "0.2" From b1cb5fad024df27a6e62213d7ee2eeb3ddcef446 Mon Sep 17 00:00:00 2001 From: Saito Date: Wed, 26 Oct 2022 11:54:23 -0500 Subject: [PATCH 3/6] Bump minor version of lambda_http in pokemon-service This commit updates the version of `lambda_http` used by `pokemon-service` from 0.6.0 to 0.7.0. This is in sync with the fact that both `aws-smithy-http-server` and `aws-smithy-http-server-python` now depend on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service` to fail to compile due to an error at `lambda_http::run(handler)` in the main function of the `pokemon-service-lambda` binary: the trait `Service>` is not implemented for `LambdaHandler` --- .../aws-smithy-http-server/examples/pokemon-service/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml index 82162950a1..88b8c3e461 100644 --- a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml @@ -37,7 +37,7 @@ rustls-pemfile = "1.0.1" futures-util = "0.3" # This dependency is only required for the `pokemon-service-lambda` program. -lambda_http = "0.6.0" +lambda_http = "0.7.0" # Local paths aws-smithy-http-server = { path = "../../" } From b158da0091198e3586e3e38af2666c13d94d4f63 Mon Sep 17 00:00:00 2001 From: Saito Date: Fri, 28 Oct 2022 14:36:15 -0500 Subject: [PATCH 4/6] Depend on lambda-http 0.7.1 This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in the crates within the top-level `rust-runtime` workspace. These updates are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556 --- rust-runtime/aws-smithy-http-server-python/Cargo.toml | 2 +- rust-runtime/aws-smithy-http-server/Cargo.toml | 2 +- .../aws-smithy-http-server/examples/pokemon-service/Cargo.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rust-runtime/aws-smithy-http-server-python/Cargo.toml b/rust-runtime/aws-smithy-http-server-python/Cargo.toml index 99482c2a87..1a4e4098b0 100644 --- a/rust-runtime/aws-smithy-http-server-python/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server-python/Cargo.toml @@ -22,7 +22,7 @@ bytes = "1.2" futures = "0.3" http = "0.2" hyper = { version = "0.14.20", features = ["server", "http1", "http2", "tcp", "stream"] } -lambda_http = "0.7.0" +lambda_http = "0.7.1" num_cpus = "1.13.1" parking_lot = "0.12.1" pin-project-lite = "0.2" diff --git a/rust-runtime/aws-smithy-http-server/Cargo.toml b/rust-runtime/aws-smithy-http-server/Cargo.toml index c0af91db55..10888a09e5 100644 --- a/rust-runtime/aws-smithy-http-server/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server/Cargo.toml @@ -26,7 +26,7 @@ futures-util = { version = "0.3", default-features = false } http = "0.2" http-body = "0.4" hyper = { version = "0.14.12", features = ["server", "http1", "http2", "tcp", "stream"] } -lambda_http = "0.7.0" +lambda_http = "0.7.1" mime = "0.3" nom = "7" pin-project-lite = "0.2" diff --git a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml index 88b8c3e461..1d665d249c 100644 --- a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml +++ b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml @@ -37,7 +37,7 @@ rustls-pemfile = "1.0.1" futures-util = "0.3" # This dependency is only required for the `pokemon-service-lambda` program. -lambda_http = "0.7.0" +lambda_http = "0.7.1" # Local paths aws-smithy-http-server = { path = "../../" } From 09f53314cca6a83bffcfa2f302c62b4e50307ac6 Mon Sep 17 00:00:00 2001 From: Saito Date: Fri, 28 Oct 2022 15:18:03 -0500 Subject: [PATCH 5/6] Update CHANGELOG.next.toml --- CHANGELOG.next.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml index 307295aefe..8c2938e799 100644 --- a/CHANGELOG.next.toml +++ b/CHANGELOG.next.toml @@ -52,3 +52,9 @@ message = "Fix bug that can cause panics in paginators" references = ["smithy-rs#1903", "smithy-rs#1902"] meta = { "breaking" = false, "tada" = false, "bug" = true, "target" = "client"} author = "rcoh" + +[[smithy-rs]] +message = "Fix cargo audit issue on chrono." +references = ["smithy-rs#1907"] +meta = { "breaking" = false, "tada" = false, "bug" = false } +author = "ysaito1001" From eb68d7f68f3bcf8f1c0b5d7f508658722c64228d Mon Sep 17 00:00:00 2001 From: Saito Date: Mon, 31 Oct 2022 14:29:47 -0500 Subject: [PATCH 6/6] Address https://github.com/awslabs/smithy-rs/pull/1907\#pullrequestreview-1161609833 --- CHANGELOG.next.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml index b2c6bec559..64cfb40a1e 100644 --- a/CHANGELOG.next.toml +++ b/CHANGELOG.next.toml @@ -71,5 +71,5 @@ author = "Velfi" [[smithy-rs]] message = "Fix cargo audit issue on chrono." references = ["smithy-rs#1907"] -meta = { "breaking" = false, "tada" = false, "bug" = false } +meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "all" } author = "ysaito1001"