From 6dbb3a64f4498a9e87988f3955e08a02ea61369e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Tr=C4=85d?= Date: Tue, 12 Dec 2023 14:35:32 +0100 Subject: [PATCH] Remove vulnerable webpki dependency (#659) * Vendor & fix cognito-srp-auth * Vetting * Fix rust version --- .github/workflows/test.yml | 2 +- Cargo.lock | 542 ++++++++------------- Cargo.toml | 1 - crates/cognitoauth/Cargo.toml | 20 + crates/cognitoauth/README.md | 1 + crates/cognitoauth/src/cognito_srp_auth.rs | 128 +++++ crates/cognitoauth/src/error.rs | 25 + crates/cognitoauth/src/lib.rs | 2 + crates/oz-api/Cargo.toml | 2 +- supply-chain/config.toml | 148 ++---- supply-chain/imports.lock | 71 ++- 11 files changed, 494 insertions(+), 448 deletions(-) create mode 100644 crates/cognitoauth/Cargo.toml create mode 100644 crates/cognitoauth/README.md create mode 100644 crates/cognitoauth/src/cognito_srp_auth.rs create mode 100644 crates/cognitoauth/src/error.rs create mode 100644 crates/cognitoauth/src/lib.rs diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b0c1caa2..7e5ec505 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,7 +14,7 @@ on: - main env: - RUST_VERSION: "1.74" + RUST_VERSION: "1.73" NIGHTLY_VERSION: nightly-2023-08-29 CARGO_TERM_COLOR: always # Skip incremental build and debug info generation in CI diff --git a/Cargo.lock b/Cargo.lock index 50ebda8a..1d36aefe 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -444,284 +444,338 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "aws-config" -version = "0.46.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11a8c971b0cb0484fc9436a291a44503b95141edc36ce7a6af6b6d7a06a02ab0" +checksum = "004dc45f6b869e6a70725df448004a720b7f52f6607d55d8815cbd5448f86def" dependencies = [ + "aws-credential-types", "aws-http", + "aws-runtime", "aws-sdk-sso", + "aws-sdk-ssooidc", "aws-sdk-sts", "aws-smithy-async", - "aws-smithy-client", "aws-smithy-http", - "aws-smithy-http-tower", "aws-smithy-json", + "aws-smithy-runtime", + "aws-smithy-runtime-api", "aws-smithy-types", "aws-types", "bytes", + "fastrand", "hex", "http", "hyper", - "ring 0.16.20", + "ring 0.17.5", + "time 0.3.17", "tokio", - "tower", "tracing", "zeroize", ] [[package]] -name = "aws-endpoint" -version = "0.46.0" +name = "aws-credential-types" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4bc956f415dda77215372e5bc751a2463d1f9a1ec34edf3edc6c0ff67e5c8e43" +checksum = "cfa51c87f10211f37cd78e6d01d6f18b3f96a086906ed361d11e04ac53e29508" dependencies = [ - "aws-smithy-http", + "aws-smithy-async", + "aws-smithy-runtime-api", + "aws-smithy-types", + "zeroize", +] + +[[package]] +name = "aws-http" +version = "0.60.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "361c4310fdce94328cc2d1ca0c8a48c13f43009c61d3367585685a50ca8c66b6" +dependencies = [ + "aws-smithy-runtime-api", + "aws-smithy-types", "aws-types", + "bytes", "http", - "regex", + "http-body", + "pin-project-lite", "tracing", ] [[package]] -name = "aws-http" -version = "0.46.0" +name = "aws-runtime" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a0d98a1d606aa24554e604f220878db4aa3b525b72f88798524497cc3867fc6" +checksum = "ce0953f7fc1c4428511345e28ea3e98c8b59c9e91eafae30bf76d71d70642693" dependencies = [ + "aws-credential-types", + "aws-http", + "aws-sigv4", + "aws-smithy-async", "aws-smithy-http", + "aws-smithy-runtime-api", "aws-smithy-types", "aws-types", - "bytes", + "fastrand", "http", - "http-body", - "lazy_static", "percent-encoding", - "pin-project-lite", "tracing", + "uuid 1.6.1", ] [[package]] name = "aws-sdk-cognitoidentityprovider" -version = "0.16.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e4eb7bace6043089ef78b3b656861d364bb8e9a01ef045b74696830462486d6" +checksum = "8791a43ab0a0a847e0df7c545c8a8302a9b1e63c76838db2b4f85f20b8d4503a" dependencies = [ - "aws-endpoint", + "aws-credential-types", "aws-http", - "aws-sig-auth", + "aws-runtime", "aws-smithy-async", - "aws-smithy-client", "aws-smithy-http", - "aws-smithy-http-tower", "aws-smithy-json", + "aws-smithy-runtime", + "aws-smithy-runtime-api", "aws-smithy-types", "aws-types", "bytes", "http", - "tokio-stream", - "tower", + "regex", + "tracing", ] [[package]] name = "aws-sdk-sso" -version = "0.16.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baa0c66fab12976065403cf4cafacffe76afa91d0da335d195af379d4223d235" +checksum = "8e0b81eaef9eb951061b5a58f660815430e3f04eacaa4b2318e7474b0b7cbf17" dependencies = [ - "aws-endpoint", + "aws-credential-types", "aws-http", - "aws-sig-auth", + "aws-runtime", "aws-smithy-async", - "aws-smithy-client", "aws-smithy-http", - "aws-smithy-http-tower", "aws-smithy-json", + "aws-smithy-runtime", + "aws-smithy-runtime-api", "aws-smithy-types", "aws-types", "bytes", "http", - "tokio-stream", - "tower", + "regex", + "tracing", ] [[package]] -name = "aws-sdk-sts" -version = "0.16.0" +name = "aws-sdk-ssooidc" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "048037cdfd7f42fb29b5f969c7f639b4b7eac00e8f911e4eac4f89fb7b3a0500" +checksum = "2e322a916694038a7972a3bb12181151c1645914443a2c3be6379b27533bbb99" dependencies = [ - "aws-endpoint", + "aws-credential-types", "aws-http", - "aws-sig-auth", + "aws-runtime", "aws-smithy-async", - "aws-smithy-client", "aws-smithy-http", - "aws-smithy-http-tower", - "aws-smithy-query", + "aws-smithy-json", + "aws-smithy-runtime", + "aws-smithy-runtime-api", "aws-smithy-types", - "aws-smithy-xml", "aws-types", "bytes", "http", - "tower", + "regex", + "tracing", ] [[package]] -name = "aws-sig-auth" -version = "0.46.0" +name = "aws-sdk-sts" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8386fc0d218dbf2011f65bd8300d21ba98603fd150b962f61239be8b02d1fc6" +checksum = "bbee86e8d9b1be709bd0f38b9ab3f196e39b0b6f3262a0a919a9d30f25debd94" dependencies = [ - "aws-sigv4", + "aws-credential-types", + "aws-http", + "aws-runtime", + "aws-smithy-async", "aws-smithy-http", + "aws-smithy-json", + "aws-smithy-query", + "aws-smithy-runtime", + "aws-smithy-runtime-api", + "aws-smithy-types", + "aws-smithy-xml", "aws-types", "http", + "regex", "tracing", ] [[package]] name = "aws-sigv4" -version = "0.46.1" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6a70364c0d649ef1c37188a4d0e4f5a918e1a9df318e5b1b2bb7117e271f6e1" +checksum = "b6bcbad6e0f130232b22e4b4e28834348ce5b79c23b5059b387c08fd0dc8f876" dependencies = [ + "aws-credential-types", "aws-smithy-http", + "aws-smithy-runtime-api", + "aws-smithy-types", + "bytes", "form_urlencoded", "hex", + "hmac", "http", "once_cell", "percent-encoding", "regex", - "ring 0.16.20", + "sha2", "time 0.3.17", "tracing", ] [[package]] name = "aws-smithy-async" -version = "0.46.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deb59cfdd21143006c01b9ca4dc4a9190b8c50c2ef831f9eb36f54f69efa42f1" +checksum = "573441a5a0219e436e86a7f9a20b0f2505c5ae6fe7fe3eba6e3950991c9ad914" dependencies = [ "futures-util", "pin-project-lite", "tokio", - "tokio-stream", ] [[package]] name = "aws-smithy-client" -version = "0.46.0" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44243329ba8618474c3b7f396de281f175ae172dd515b3d35648671a3cf51871" -dependencies = [ - "aws-smithy-async", - "aws-smithy-http", - "aws-smithy-http-tower", - "aws-smithy-types", - "bytes", - "fastrand 1.8.0", - "http", - "http-body", - "hyper", - "hyper-rustls 0.22.1", - "lazy_static", - "pin-project-lite", - "tokio", - "tower", - "tracing", -] +checksum = "e00d51e79571528981b4eaf1040ca1248ce155149914926eebd19feadc88bd70" [[package]] name = "aws-smithy-http" -version = "0.46.0" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fba78f69a5bbe7ac1826389304c67b789032d813574e78f9a2d450634277f833" +checksum = "5b1de8aee22f67de467b2e3d0dd0fb30859dc53f579a63bd5381766b987db644" dependencies = [ + "aws-smithy-runtime-api", "aws-smithy-types", "bytes", "bytes-utils", "futures-core", "http", "http-body", - "hyper", "once_cell", "percent-encoding", "pin-project-lite", - "tokio", - "tokio-util", + "pin-utils", "tracing", ] [[package]] -name = "aws-smithy-http-tower" -version = "0.46.0" +name = "aws-smithy-json" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff8a512d68350561e901626baa08af9491cfbd54596201b84b4da846a59e4da3" +checksum = "6a46dd338dc9576d6a6a5b5a19bd678dcad018ececee11cf28ecd7588bd1a55c" dependencies = [ - "aws-smithy-http", - "bytes", - "http", - "http-body", - "pin-project-lite", - "tower", - "tracing", + "aws-smithy-types", ] [[package]] -name = "aws-smithy-json" -version = "0.46.0" +name = "aws-smithy-query" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31b7633698853aae80bd8b26866531420138eca91ea4620735d20b0537c93c2e" +checksum = "feb5b8c7a86d4b6399169670723b7e6f21a39fc833a30f5c5a2f997608178129" dependencies = [ "aws-smithy-types", + "urlencoding", ] [[package]] -name = "aws-smithy-query" -version = "0.46.0" +name = "aws-smithy-runtime" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95a94b5a8cc94a85ccbff89eb7bc80dc135ede02847a73d68c04ac2a3e4cf6b7" +checksum = "c0c628feae802ab1589936e2aaef6f8ab2b8fc1ee1f947c276dd8a7c3cda1904" dependencies = [ + "aws-smithy-async", + "aws-smithy-http", + "aws-smithy-runtime-api", "aws-smithy-types", - "urlencoding", + "bytes", + "fastrand", + "h2", + "http", + "http-body", + "hyper", + "hyper-rustls", + "once_cell", + "pin-project-lite", + "pin-utils", + "rustls", + "tokio", + "tracing", +] + +[[package]] +name = "aws-smithy-runtime-api" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7460e5cc8e6eb0749608535854352f6e121433960ba05daf4dbde0e42c1199a5" +dependencies = [ + "aws-smithy-async", + "aws-smithy-types", + "bytes", + "http", + "pin-project-lite", + "tokio", + "tracing", + "zeroize", ] [[package]] name = "aws-smithy-types" -version = "0.46.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d230d281653de22fb0e9c7c74d18d724a39d7148e2165b1e760060064c4967c0" +checksum = "8ba838f43d0d72d76918895a93c3ad647f75a058541a60e85beefb6bb0a9bd40" dependencies = [ + "base64-simd", + "bytes", + "bytes-utils", + "futures-core", + "http", + "http-body", "itoa 1.0.9", "num-integer", + "pin-project-lite", + "pin-utils", "ryu", + "serde", "time 0.3.17", + "tokio", + "tokio-util", ] [[package]] name = "aws-smithy-xml" -version = "0.46.0" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4aacaf6c0fa549ebe5d9daa96233b8635965721367ee7c69effc8d8078842df3" +checksum = "0ec40d74a67fd395bc3f6b4ccbdf1543672622d905ef3f979689aea5b730cb95" dependencies = [ "xmlparser", ] [[package]] name = "aws-types" -version = "0.46.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb54f097516352475a0159c9355f8b4737c54044538a4d9aca4d376ef2361ccc" +checksum = "faa59f6f26a3472ca2ce7e7802d037a0a9a7ac23de5761eadd9b68f31ac4fd21" dependencies = [ + "aws-credential-types", "aws-smithy-async", - "aws-smithy-client", - "aws-smithy-http", + "aws-smithy-runtime-api", "aws-smithy-types", "http", "rustc_version 0.4.0", "tracing", - "zeroize", ] [[package]] @@ -821,6 +875,16 @@ version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a" +[[package]] +name = "base64-simd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "339abbe78e73178762e23bea9dfd08e697eb3f3301cd4be981c0f78ba5859195" +dependencies = [ + "outref", + "vsimd", +] + [[package]] name = "base64ct" version = "1.5.3" @@ -973,9 +1037,9 @@ dependencies = [ [[package]] name = "bytes-utils" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e47d3a8076e283f3acd27400535992edb3ba4b5bb72f8891ad8fbe7932a7d4b9" +checksum = "7dafe3a8757b027e2be6e4e5601ed563c55989fcf1546e933c66c8eb3a058d35" dependencies = [ "bytes", "either", @@ -1097,13 +1161,9 @@ version = "2.34.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c" dependencies = [ - "ansi_term", - "atty", "bitflags 1.3.2", - "strsim 0.8.0", "textwrap", "unicode-width", - "vec_map", ] [[package]] @@ -1126,7 +1186,7 @@ dependencies = [ "anstream", "anstyle", "clap_lex", - "strsim 0.10.0", + "strsim", "terminal_size", "unicase", "unicode-width", @@ -1138,7 +1198,7 @@ version = "4.3.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "54a9bb5758fc5dfe728d1019941681eccaf0cf8a4189b692a0ee2f2ecf90a050" dependencies = [ - "heck 0.4.1", + "heck", "proc-macro2", "quote", "syn 2.0.32", @@ -1161,7 +1221,7 @@ dependencies = [ "color-eyre 0.6.2", "eyre", "futures", - "heck 0.4.1", + "heck", "hex", "hex-literal 0.4.1", "http", @@ -1224,19 +1284,13 @@ dependencies = [ [[package]] name = "cognitoauth" version = "0.1.0" -source = "git+https://github.com/lucdew/cognito-srp-auth.git#7fe9779d5b0d2b367f377eb8fe44858a36b66edf" dependencies = [ "aws-config", "aws-sdk-cognitoidentityprovider", "aws-smithy-client", "cognito_srp", - "env_logger", - "hyper", - "hyper-proxy", - "log", - "structopt", "thiserror", - "tokio", + "tracing", ] [[package]] @@ -1662,15 +1716,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "ct-logs" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1a816186fa68d9e426e3cb4ae4dff1fcd8e4a2c34b781bf7a822574a0d0aac8" -dependencies = [ - "sct 0.6.1", -] - [[package]] name = "ctr" version = "0.9.2" @@ -1990,7 +2035,7 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c9720bba047d567ffc8a3cba48bf19126600e249ab7f128e9233e6376976a116" dependencies = [ - "heck 0.4.1", + "heck", "proc-macro2", "quote", "syn 1.0.107", @@ -2037,19 +2082,6 @@ dependencies = [ "syn 1.0.107", ] -[[package]] -name = "env_logger" -version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a12e6657c4c97ebab115a42dcee77225f7f482cdd841cf7088c657a42e9e00e7" -dependencies = [ - "atty", - "humantime", - "log", - "regex", - "termcolor", -] - [[package]] name = "equivalent" version = "1.0.1" @@ -2107,7 +2139,7 @@ dependencies = [ "sha2", "sha3", "thiserror", - "uuid", + "uuid 0.8.2", ] [[package]] @@ -2455,15 +2487,6 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7" -[[package]] -name = "fastrand" -version = "1.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499" -dependencies = [ - "instant", -] - [[package]] name = "fastrand" version = "2.0.0" @@ -2812,40 +2835,6 @@ dependencies = [ "hashbrown 0.12.3", ] -[[package]] -name = "headers" -version = "0.3.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3e372db8e5c0d213e0cd0b9be18be2aca3d44cf2fe30a9d46a65581cd454584" -dependencies = [ - "base64 0.13.1", - "bitflags 1.3.2", - "bytes", - "headers-core", - "http", - "httpdate", - "mime", - "sha1", -] - -[[package]] -name = "headers-core" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7f66481bfee273957b1f20485a4ff3362987f85b2c236580d81b4eb7a326429" -dependencies = [ - "http", -] - -[[package]] -name = "heck" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c" -dependencies = [ - "unicode-segmentation", -] - [[package]] name = "heck" version = "0.4.1" @@ -2949,12 +2938,6 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" -[[package]] -name = "humantime" -version = "2.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" - [[package]] name = "hyper" version = "0.14.27" @@ -2979,42 +2962,6 @@ dependencies = [ "want", ] -[[package]] -name = "hyper-proxy" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca815a891b24fdfb243fa3239c86154392b0953ee584aa1a2a1f66d20cbe75cc" -dependencies = [ - "bytes", - "futures", - "headers", - "http", - "hyper", - "hyper-rustls 0.22.1", - "rustls-native-certs", - "tokio", - "tokio-rustls 0.22.0", - "tower-service", - "webpki", -] - -[[package]] -name = "hyper-rustls" -version = "0.22.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f9f7a97316d44c0af9b0301e65010573a853a9fc97046d7331d7f6bc0fd5a64" -dependencies = [ - "ct-logs", - "futures-util", - "hyper", - "log", - "rustls 0.19.1", - "rustls-native-certs", - "tokio", - "tokio-rustls 0.22.0", - "webpki", -] - [[package]] name = "hyper-rustls" version = "0.24.1" @@ -3024,9 +2971,11 @@ dependencies = [ "futures-util", "http", "hyper", - "rustls 0.21.8", + "log", + "rustls", + "rustls-native-certs", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls", ] [[package]] @@ -4012,6 +3961,12 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" +[[package]] +name = "outref" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4030760ffd992bef45b0ae3f10ce1aba99e33464c90d14dd7c039884963ddc7a" + [[package]] name = "overload" version = "0.1.1" @@ -4694,7 +4649,7 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-rustls 0.24.1", + "hyper-rustls", "hyper-tls", "ipnet", "js-sys", @@ -4704,7 +4659,7 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "rustls 0.21.8", + "rustls", "rustls-pemfile", "serde", "serde_json", @@ -4712,7 +4667,7 @@ dependencies = [ "system-configuration", "tokio", "tokio-native-tls", - "tokio-rustls 0.24.1", + "tokio-rustls", "tower-service", "url", "wasm-bindgen", @@ -4928,19 +4883,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "rustls" -version = "0.19.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" -dependencies = [ - "base64 0.13.1", - "log", - "ring 0.16.20", - "sct 0.6.1", - "webpki", -] - [[package]] name = "rustls" version = "0.21.8" @@ -4950,17 +4892,17 @@ dependencies = [ "log", "ring 0.17.5", "rustls-webpki", - "sct 0.7.0", + "sct", ] [[package]] name = "rustls-native-certs" -version = "0.5.0" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls 0.19.1", + "rustls-pemfile", "schannel", "security-framework", ] @@ -5072,16 +5014,6 @@ dependencies = [ "sha2", ] -[[package]] -name = "sct" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" -dependencies = [ - "ring 0.16.20", - "untrusted 0.7.1", -] - [[package]] name = "sct" version = "0.7.0" @@ -5379,7 +5311,6 @@ dependencies = [ "chrono", "clap 4.3.14", "cli-batteries", - "cognitoauth", "ethers", "ethers-solc", "eyre", @@ -5583,7 +5514,7 @@ checksum = "b850fa514dc11f2ee85be9d055c512aa866746adfacd1cb42d867d68e6a5b0d9" dependencies = [ "dotenvy", "either", - "heck 0.4.1", + "heck", "once_cell", "proc-macro2", "quote", @@ -5641,42 +5572,12 @@ dependencies = [ "unicode-normalization", ] -[[package]] -name = "strsim" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" - [[package]] name = "strsim" version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" -[[package]] -name = "structopt" -version = "0.3.26" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10" -dependencies = [ - "clap 2.34.0", - "lazy_static", - "structopt-derive", -] - -[[package]] -name = "structopt-derive" -version = "0.4.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0" -dependencies = [ - "heck 0.3.3", - "proc-macro-error", - "proc-macro2", - "quote", - "syn 1.0.107", -] - [[package]] name = "strum" version = "0.25.0" @@ -5692,7 +5593,7 @@ version = "0.25.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ad8d03b598d3d0fff69bf533ee3ef19b8eeb342729596df84bcc7e1f96ec4059" dependencies = [ - "heck 0.4.1", + "heck", "proc-macro2", "quote", "rustversion", @@ -5825,7 +5726,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cb94d2f3cc536af71caac6b6fcebf65860b347e7ce0cc9ebe8f70d3e521054ef" dependencies = [ "cfg-if", - "fastrand 2.0.0", + "fastrand", "redox_syscall 0.3.5", "rustix 0.38.13", "windows-sys 0.48.0", @@ -6057,24 +5958,13 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-rustls" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" -dependencies = [ - "rustls 0.19.1", - "tokio", - "webpki", -] - [[package]] name = "tokio-rustls" version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls 0.21.8", + "rustls", "tokio", ] @@ -6098,10 +5988,10 @@ dependencies = [ "futures-util", "log", "native-tls", - "rustls 0.21.8", + "rustls", "tokio", "tokio-native-tls", - "tokio-rustls 0.24.1", + "tokio-rustls", "tungstenite", "webpki-roots", ] @@ -6415,7 +6305,7 @@ dependencies = [ "log", "native-tls", "rand", - "rustls 0.21.8", + "rustls", "sha1", "thiserror", "url", @@ -6562,6 +6452,12 @@ dependencies = [ "serde", ] +[[package]] +name = "uuid" +version = "1.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e395fcf16a7a3d8127ec99782007af141946b4795001f876d54fb0d55978560" + [[package]] name = "valuable" version = "0.1.0" @@ -6574,18 +6470,18 @@ version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" -[[package]] -name = "vec_map" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" - [[package]] name = "version_check" version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +[[package]] +name = "vsimd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64" + [[package]] name = "walkdir" version = "2.3.2" @@ -6962,16 +6858,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring 0.16.20", - "untrusted 0.7.1", -] - [[package]] name = "webpki-roots" version = "0.25.2" @@ -7327,9 +7213,9 @@ dependencies = [ [[package]] name = "xmlparser" -version = "0.13.3" +version = "0.13.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "114ba2b24d2167ef6d67d7d04c8cc86522b87f490025f39f0303b7db5bf5e3d8" +checksum = "66fee0b777b0f5ac1c69bb06d361268faafa61cd4682ae064a171c16c433e9e4" [[package]] name = "yansi" diff --git a/Cargo.toml b/Cargo.toml index 28b9a137..70f0ac7a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -38,7 +38,6 @@ cli-batteries = { git = "https://github.com/recmo/cli-batteries", rev = "fc1186d "otlp", "datadog", ] } -cognitoauth = { git = "https://github.com/lucdew/cognito-srp-auth.git" } ethers = { version = "2.0.10", features = ["ws", "ipc", "openssl", "abigen"] } ethers-solc = "2.0.10" eyre = "0.6" diff --git a/crates/cognitoauth/Cargo.toml b/crates/cognitoauth/Cargo.toml new file mode 100644 index 00000000..7c13ec7d --- /dev/null +++ b/crates/cognitoauth/Cargo.toml @@ -0,0 +1,20 @@ +[package] +name = "cognitoauth" +version = "0.1.0" +edition = "2021" +license = "MIT" +description = "cognito srp authentication library" +repository = "https://github.com/lucdew/cognito-srp-auth" +keywords = ["crypto", "aws", "aws cognito"] +categories = ["cryptography", "authentication"] +readme = "README.md" +rust-version = "1.56" + +[dependencies] +aws-config = "1.0.3" +aws-sdk-cognitoidentityprovider = "1.4.0" +aws-smithy-client = { version = "0.60.0", features = [] } +cognito_srp = "0.1.1" +thiserror = "1.0.32" +tracing = "0.1" + diff --git a/crates/cognitoauth/README.md b/crates/cognitoauth/README.md new file mode 100644 index 00000000..96e81ce8 --- /dev/null +++ b/crates/cognitoauth/README.md @@ -0,0 +1 @@ +Vendored from https://github.com/lucdew/cognito-srp-auth diff --git a/crates/cognitoauth/src/cognito_srp_auth.rs b/crates/cognitoauth/src/cognito_srp_auth.rs new file mode 100644 index 00000000..6c146260 --- /dev/null +++ b/crates/cognitoauth/src/cognito_srp_auth.rs @@ -0,0 +1,128 @@ +use std::collections::HashMap; + +use aws_config::meta::region::RegionProviderChain; +use aws_config::retry::RetryConfig; +use aws_config::{BehaviorVersion, Region}; +use aws_sdk_cognitoidentityprovider::operation::respond_to_auth_challenge::RespondToAuthChallengeOutput; +use aws_sdk_cognitoidentityprovider::types::{ + AuthFlowType, AuthenticationResultType, ChallengeNameType, +}; +use aws_sdk_cognitoidentityprovider::Client; +use cognito_srp::SrpClient; + +use crate::error::CognitoSrpAuthError; + +pub struct CognitoAuthInput { + pub client_id: String, + pub pool_id: String, + pub username: String, + pub password: String, + pub mfa: Option, + pub client_secret: Option, // not yet supported +} + +async fn get_cognito_idp_client(pool_id: &str) -> Result { + let region = pool_id.split('_').next().map(|x| x.to_string()); + + let region_provider = RegionProviderChain::first_try(region.map(Region::new)) + .or_default_provider() + .or_else(Region::new("us-east-1")); + + let shared_config = aws_config::defaults(BehaviorVersion::latest()) + .region(region_provider) + .load() + .await; + + let cognito_idp_config = aws_sdk_cognitoidentityprovider::config::Builder::from(&shared_config) + .retry_config(RetryConfig::disabled()) + .build(); + + let cognito_client = Client::from_conf(cognito_idp_config); + + Ok(cognito_client) +} + +async fn process_mfa( + client: &Client, + input: &CognitoAuthInput, + auth_challenge_res: RespondToAuthChallengeOutput, +) -> Result, CognitoSrpAuthError> { + let mfa = input + .mfa + .clone() + .ok_or(CognitoSrpAuthError::IllegalArgument( + "missing mfa but it is required".to_string(), + ))?; + let mut mfa_challenge_res: HashMap = HashMap::new(); + mfa_challenge_res.insert("USERNAME".to_string(), input.username.to_string()); + mfa_challenge_res.insert("SOFTWARE_TOKEN_MFA_CODE".to_string(), mfa.to_string()); + + let auth_challenge_res = client + .respond_to_auth_challenge() + .set_challenge_responses(Some(mfa_challenge_res)) + .client_id(input.client_id.clone()) + .challenge_name(ChallengeNameType::SoftwareTokenMfa) + .session(auth_challenge_res.session.unwrap()) + .send() + .await; + + let auth_res = auth_challenge_res?; + + Ok(auth_res.authentication_result) +} + +pub async fn auth( + input: CognitoAuthInput, +) -> Result, CognitoSrpAuthError> { + let cognito_client = get_cognito_idp_client(&input.pool_id).await?; + let srp_client = SrpClient::new( + &input.username, + &input.password, + &input.pool_id, + &input.client_id, + None, + ); + + let auth_init_res = cognito_client + .initiate_auth() + .auth_flow(AuthFlowType::UserSrpAuth) + .client_id(input.client_id.clone()) + .set_auth_parameters(Some(srp_client.get_auth_params()?)) + .send() + .await; + + let auth_init_out = auth_init_res?; + if auth_init_out.challenge_name.is_none() + || auth_init_out.challenge_name.clone().unwrap() != ChallengeNameType::PasswordVerifier + { + if let Some(cn) = auth_init_out.challenge_name { + tracing::debug!("challenge_name is unexpected, got {:?}", cn); + } else { + tracing::debug!("No challenge found in init"); + } + return Ok(None); + } + + let challenge_params = + auth_init_out + .challenge_parameters + .ok_or(CognitoSrpAuthError::IllegalArgument( + "No challenge was returned for the client".to_string(), + ))?; + let challenge_responses = srp_client.process_challenge(challenge_params)?; + + let password_challenge_res = cognito_client + .respond_to_auth_challenge() + .set_challenge_responses(Some(challenge_responses)) + .client_id(input.client_id.clone()) + .challenge_name(ChallengeNameType::PasswordVerifier) + .send() + .await?; + + match password_challenge_res.challenge_name { + Some(ChallengeNameType::SoftwareTokenMfa) | Some(ChallengeNameType::SmsMfa) => { + process_mfa(&cognito_client, &input, password_challenge_res).await + } + Some(_) | None => Ok(password_challenge_res.authentication_result), + } +} diff --git a/crates/cognitoauth/src/error.rs b/crates/cognitoauth/src/error.rs new file mode 100644 index 00000000..977784f1 --- /dev/null +++ b/crates/cognitoauth/src/error.rs @@ -0,0 +1,25 @@ +use std::io; + +use aws_sdk_cognitoidentityprovider::error::SdkError; +use aws_sdk_cognitoidentityprovider::operation::initiate_auth::InitiateAuthError; +use aws_sdk_cognitoidentityprovider::operation::respond_to_auth_challenge::RespondToAuthChallengeError; +use cognito_srp::CognitoSrpError; +use thiserror::Error; + +#[derive(Debug, Error)] +pub enum CognitoSrpAuthError { + #[error("cognito srp error: {0}")] + SrpError(#[from] CognitoSrpError), + + #[error("illegal argument: {0}")] + IllegalArgument(String), + + #[error("io error: {0}")] + IOError(#[from] io::Error), + + #[error("cognito idp initiate error: {0}")] + CognitoInitiateError(#[from] SdkError), + + #[error("cognito idp response to auth challenge error: {0}")] + CognitoResponseToAuthChallengeError(#[from] SdkError), +} diff --git a/crates/cognitoauth/src/lib.rs b/crates/cognitoauth/src/lib.rs new file mode 100644 index 00000000..b74dc130 --- /dev/null +++ b/crates/cognitoauth/src/lib.rs @@ -0,0 +1,2 @@ +pub mod cognito_srp_auth; +pub mod error; diff --git a/crates/oz-api/Cargo.toml b/crates/oz-api/Cargo.toml index 2089f48f..2167dc0b 100644 --- a/crates/oz-api/Cargo.toml +++ b/crates/oz-api/Cargo.toml @@ -7,7 +7,7 @@ publish = false [dependencies] anyhow = "1.0" chrono = { version = "0.4.23", features = ["serde"] } -cognitoauth = { git = "https://github.com/lucdew/cognito-srp-auth.git" } +cognitoauth = { path = "../cognitoauth" } ethers = { version = "2.0.10", features = [ "ws", "ipc", "openssl", "abigen" ] } hyper = { version = "^0.14.17", features = ["server", "tcp", "http1", "http2"] } reqwest = "0.11.14" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index f63541aa..a31e6c67 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -136,71 +136,79 @@ version = "1.1.0" criteria = "safe-to-deploy" [[exemptions.aws-config]] -version = "0.46.0" +version = "1.0.3" criteria = "safe-to-deploy" -[[exemptions.aws-endpoint]] -version = "0.46.0" +[[exemptions.aws-credential-types]] +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-http]] -version = "0.46.0" +version = "0.60.0" +criteria = "safe-to-deploy" + +[[exemptions.aws-runtime]] +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-sdk-cognitoidentityprovider]] -version = "0.16.0" +version = "1.4.0" criteria = "safe-to-deploy" [[exemptions.aws-sdk-sso]] -version = "0.16.0" +version = "1.4.0" criteria = "safe-to-deploy" -[[exemptions.aws-sdk-sts]] -version = "0.16.0" +[[exemptions.aws-sdk-ssooidc]] +version = "1.4.0" criteria = "safe-to-deploy" -[[exemptions.aws-sig-auth]] -version = "0.46.0" +[[exemptions.aws-sdk-sts]] +version = "1.4.0" criteria = "safe-to-deploy" [[exemptions.aws-sigv4]] -version = "0.46.1" +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-smithy-async]] -version = "0.46.0" +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-smithy-client]] -version = "0.46.0" +version = "0.60.0" criteria = "safe-to-deploy" [[exemptions.aws-smithy-http]] -version = "0.46.0" -criteria = "safe-to-deploy" - -[[exemptions.aws-smithy-http-tower]] -version = "0.46.0" +version = "0.60.0" criteria = "safe-to-deploy" [[exemptions.aws-smithy-json]] -version = "0.46.0" +version = "0.60.0" criteria = "safe-to-deploy" [[exemptions.aws-smithy-query]] -version = "0.46.0" +version = "0.60.0" +criteria = "safe-to-deploy" + +[[exemptions.aws-smithy-runtime]] +version = "1.0.3" +criteria = "safe-to-deploy" + +[[exemptions.aws-smithy-runtime-api]] +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-smithy-types]] -version = "0.46.0" +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.aws-smithy-xml]] -version = "0.46.0" +version = "0.60.0" criteria = "safe-to-deploy" [[exemptions.aws-types]] -version = "0.46.0" +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.axum]] @@ -223,6 +231,10 @@ criteria = "safe-to-deploy" version = "0.13.1" criteria = "safe-to-deploy" +[[exemptions.base64-simd]] +version = "0.8.0" +criteria = "safe-to-deploy" + [[exemptions.base64ct]] version = "1.5.3" criteria = "safe-to-deploy" @@ -276,7 +288,7 @@ version = "1.4.0" criteria = "safe-to-deploy" [[exemptions.bytes-utils]] -version = "0.1.3" +version = "0.1.4" criteria = "safe-to-deploy" [[exemptions.camino]] @@ -287,10 +299,6 @@ criteria = "safe-to-deploy" version = "0.3.0" criteria = "safe-to-deploy" -[[exemptions.cc]] -version = "1.0.83" -criteria = "safe-to-deploy" - [[exemptions.chrono]] version = "0.4.26" criteria = "safe-to-deploy" @@ -419,10 +427,6 @@ criteria = "safe-to-deploy" version = "0.1.10" criteria = "safe-to-deploy" -[[exemptions.ct-logs]] -version = "0.8.0" -criteria = "safe-to-deploy" - [[exemptions.ctr]] version = "0.9.2" criteria = "safe-to-deploy" @@ -531,10 +535,6 @@ criteria = "safe-to-deploy" version = "0.6.1" criteria = "safe-to-deploy" -[[exemptions.env_logger]] -version = "0.9.3" -criteria = "safe-to-deploy" - [[exemptions.errno]] version = "0.2.8" criteria = "safe-to-deploy" @@ -615,10 +615,6 @@ criteria = "safe-to-deploy" version = "0.2.0" criteria = "safe-to-deploy" -[[exemptions.fastrand]] -version = "1.8.0" -criteria = "safe-to-deploy" - [[exemptions.ff]] version = "0.12.1" criteria = "safe-to-deploy" @@ -635,10 +631,6 @@ criteria = "safe-to-deploy" version = "1.0.25" criteria = "safe-to-deploy" -[[exemptions.form_urlencoded]] -version = "1.2.0" -criteria = "safe-to-deploy" - [[exemptions.fs2]] version = "0.4.3" criteria = "safe-to-deploy" @@ -703,10 +695,6 @@ criteria = "safe-to-deploy" version = "0.8.1" criteria = "safe-to-deploy" -[[exemptions.heck]] -version = "0.3.3" -criteria = "safe-to-deploy" - [[exemptions.hermit-abi]] version = "0.1.19" criteria = "safe-to-deploy" @@ -735,18 +723,6 @@ criteria = "safe-to-deploy" version = "0.4.5" criteria = "safe-to-deploy" -[[exemptions.humantime]] -version = "2.1.0" -criteria = "safe-to-deploy" - -[[exemptions.hyper-proxy]] -version = "0.9.1" -criteria = "safe-to-deploy" - -[[exemptions.hyper-rustls]] -version = "0.22.1" -criteria = "safe-to-deploy" - [[exemptions.hyper-rustls]] version = "0.24.1" criteria = "safe-to-deploy" @@ -987,6 +963,10 @@ criteria = "safe-to-deploy" version = "0.2.0" criteria = "safe-to-deploy" +[[exemptions.outref]] +version = "0.5.1" +criteria = "safe-to-deploy" + [[exemptions.owo-colors]] version = "1.3.0" criteria = "safe-to-deploy" @@ -1035,10 +1015,6 @@ criteria = "safe-to-deploy" version = "1.1.1" criteria = "safe-to-deploy" -[[exemptions.percent-encoding]] -version = "2.3.0" -criteria = "safe-to-deploy" - [[exemptions.pest]] version = "2.5.0" criteria = "safe-to-deploy" @@ -1247,16 +1223,12 @@ criteria = "safe-to-deploy" version = "0.38.13" criteria = "safe-to-deploy" -[[exemptions.rustls]] -version = "0.19.1" -criteria = "safe-to-deploy" - [[exemptions.rustls]] version = "0.21.8" criteria = "safe-to-deploy" [[exemptions.rustls-native-certs]] -version = "0.5.0" +version = "0.6.3" criteria = "safe-to-deploy" [[exemptions.rustls-pemfile]] @@ -1291,10 +1263,6 @@ criteria = "safe-to-deploy" version = "0.10.0" criteria = "safe-to-deploy" -[[exemptions.sct]] -version = "0.6.1" -criteria = "safe-to-deploy" - [[exemptions.seahash]] version = "4.1.0" criteria = "safe-to-deploy" @@ -1415,22 +1383,10 @@ criteria = "safe-to-deploy" version = "0.8.4" criteria = "safe-to-deploy" -[[exemptions.strsim]] -version = "0.8.0" -criteria = "safe-to-deploy" - [[exemptions.strsim]] version = "0.10.0" criteria = "safe-to-deploy" -[[exemptions.structopt]] -version = "0.3.26" -criteria = "safe-to-deploy" - -[[exemptions.structopt-derive]] -version = "0.4.18" -criteria = "safe-to-deploy" - [[exemptions.strum]] version = "0.25.0" criteria = "safe-to-deploy" @@ -1519,10 +1475,6 @@ criteria = "safe-to-deploy" version = "2.1.0" criteria = "safe-to-deploy" -[[exemptions.tokio-rustls]] -version = "0.22.0" -criteria = "safe-to-deploy" - [[exemptions.tokio-rustls]] version = "0.24.1" criteria = "safe-to-deploy" @@ -1623,10 +1575,6 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.url]] -version = "2.4.1" -criteria = "safe-to-deploy" - [[exemptions.urlencoding]] version = "2.1.2" criteria = "safe-to-deploy" @@ -1643,6 +1591,14 @@ criteria = "safe-to-deploy" version = "0.8.2" criteria = "safe-to-deploy" +[[exemptions.uuid]] +version = "1.6.1" +criteria = "safe-to-deploy" + +[[exemptions.vsimd]] +version = "0.8.0" +criteria = "safe-to-deploy" + [[exemptions.walkdir]] version = "2.3.2" criteria = "safe-to-deploy" @@ -1731,10 +1687,6 @@ criteria = "safe-to-deploy" version = "0.3.60" criteria = "safe-to-deploy" -[[exemptions.webpki]] -version = "0.21.4" -criteria = "safe-to-deploy" - [[exemptions.which]] version = "4.3.0" criteria = "safe-to-deploy" @@ -1780,7 +1732,7 @@ version = "0.5.1" criteria = "safe-to-deploy" [[exemptions.xmlparser]] -version = "0.13.3" +version = "0.13.6" criteria = "safe-to-deploy" [[exemptions.yansi]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index a50deda1..fba8c13c 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -808,6 +808,12 @@ criteria = "safe-to-deploy" version = "0.15.3" notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized" +[[audits.bytecodealliance.audits.cc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.73" +notes = "I am the author of this crate." + [[audits.bytecodealliance.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -959,6 +965,16 @@ criteria = "safe-to-deploy" version = "0.1.1" notes = "small crate, only defines macro-rules!, nicely documented as well" +[[audits.bytecodealliance.audits.percent-encoding]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + [[audits.bytecodealliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -1152,12 +1168,6 @@ criteria = "safe-to-deploy" version = "0.99.17" notes = "No unsafe usage or ambient capabilities" -[[audits.embark.audits.headers]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.3.8" -notes = "HTTP type definitions. Single sound unsafe usage, no ambient capabilities used" - [[audits.embark.audits.ident_case]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -1234,12 +1244,6 @@ criteria = "safe-to-deploy" version = "0.1.0" notes = "No unsafe usage or ambient capabilities, sane build script" -[[audits.embark.audits.vec_map]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.8.2" -notes = "No unsafe usage or ambient capabilities" - [[audits.embark.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -1537,6 +1541,18 @@ criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.cc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.73 -> 1.0.78" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.cc]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.83" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.crossbeam-queue]] who = "Matthew Gregan " criteria = "safe-to-deploy" @@ -1581,6 +1597,12 @@ version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.form_urlencoded]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +version = "1.2.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1654,13 +1676,6 @@ version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.headers-core]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -version = "0.2.0" -notes = "Trivial crate, no unsafe code." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.heck]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1754,6 +1769,12 @@ version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.phf]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -2017,6 +2038,18 @@ criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +version = "2.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.zcash.audits.bech32]] who = "Jack Grigg " criteria = "safe-to-deploy"