⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

fix(sb_fs): make s3 fs proxy capability to unsafe feature#448

Merged
nyannyacha merged 1 commit intosupabase:mainfrom
nyannyacha:fix-make-s3fs-proxy-unsafe
Nov 23, 2024
Merged

fix(sb_fs): make s3 fs proxy capability to unsafe feature#448
nyannyacha merged 1 commit intosupabase:mainfrom
nyannyacha:fix-make-s3fs-proxy-unsafe

Conversation

@nyannyacha
Copy link
Contributor

@nyannyacha nyannyacha commented Nov 22, 2024

What kind of change does this PR introduce?

Bug fix

Description

According to dependabot, <= webpki@0.22.1 is vulnerable to CPU denial of service attacks.
However, this version is only used for debugging and development purposes by hyper-proxy, so it can be tolerated.

Ultimately, this is a problem because aws-rust-sdk does not currently provide an appropriate hyper v1 connector, and if the issue is resolved (which does not seem likely to be resolved in the short term), the vulnerability can be completely resolved by upgrading the connector version.

The proxy feature is used very limitedly, so I am adding a feature gate to make it available only through the cargo feature to clarify its meaning.

│   ├── hyper-proxy v0.9.1
│   │   ├── bytes v1.6.1
│   │   ├── futures v0.3.30 (*)
│   │   ├── headers v0.3.9 (*)
│   │   ├── http v0.2.11 (*)
│   │   ├── hyper v0.14.28 (*)
│   │   ├── hyper-rustls v0.22.1
│   │   │   ├── ct-logs v0.8.0
│   │   │   │   └── sct v0.6.1
│   │   │   │       ├── ring v0.16.20
│   │   │   │       │   ├── libc v0.2.153
│   │   │   │       │   ├── once_cell v1.19.0
│   │   │   │       │   ├── spin v0.5.2
│   │   │   │       │   └── untrusted v0.7.1
│   │   │   │       │   [build-dependencies]
│   │   │   │       │   └── cc v1.2.1 (*)
│   │   │   │       └── untrusted v0.7.1
│   │   │   ├── futures-util v0.3.30 (*)
│   │   │   ├── hyper v0.14.28 (*)
│   │   │   ├── log v0.4.20
│   │   │   ├── rustls v0.19.1
│   │   │   │   ├── base64 v0.13.1
│   │   │   │   ├── log v0.4.20
│   │   │   │   ├── ring v0.16.20 (*)
│   │   │   │   ├── sct v0.6.1 (*)
│   │   │   │   └── webpki v0.21.4 👈
│   │   │   │       ├── ring v0.16.20 (*)
│   │   │   │       └── untrusted v0.7.1
│   │   │   ├── rustls-native-certs v0.5.0
│   │   │   │   ├── openssl-probe v0.1.5
│   │   │   │   └── rustls v0.19.1 (*)
│   │   │   ├── tokio v1.36.0 (*)
│   │   │   ├── tokio-rustls v0.22.0
│   │   │   │   ├── rustls v0.19.1 (*)
│   │   │   │   ├── tokio v1.36.0 (*)
│   │   │   │   └── webpki v0.21.4 (*) 👈
│   │   │   └── webpki v0.21.4 (*) 👈
│   │   ├── rustls-native-certs v0.5.0 (*)
│   │   ├── tokio v1.36.0 (*)
│   │   ├── tokio-rustls v0.22.0 (*)
│   │   ├── tower-service v0.3.2
│   │   └── webpki v0.21.4 (*) 👈

Refs:

1: https://github.com/supabase/edge-runtime/security/dependabot/18
2: awslabs/aws-sdk-rust#169
3: tafia/hyper-proxy#38

@nyannyacha nyannyacha requested a review from laktek November 22, 2024 23:21
@nyannyacha nyannyacha force-pushed the fix-make-s3fs-proxy-unsafe branch from ed789be to c5626d3 Compare November 23, 2024 01:18
@nyannyacha nyannyacha merged commit e19cac9 into supabase:main Nov 23, 2024
@github-actions
Copy link

github-actions bot commented Nov 23, 2024

🎉 This PR is included in version 1.62.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@nyannyacha
Copy link
Contributor Author

nyannyacha commented Nov 23, 2024

https://github.com/supabase/edge-runtime/security/dependabot/18 has been dismissed
cc @laktek

@nyannyacha nyannyacha deleted the fix-make-s3fs-proxy-unsafe branch November 23, 2024 01:34
This was referenced Nov 24, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laktek laktek laktek approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nyannyacha @laktek