fix(security): resolving some RUSTSEC advisories (#1853)

The following advisories where resolved: - [RUSTSEC-2020-0056](https://rustsec.org/advisories/RUSTSEC-2020-0056.html) - [RUSTSEC-2021-0059](https://rustsec.org/advisories/RUSTSEC-2021-0059.html) - [RUSTSEC-2021-0060](https://rustsec.org/advisories/RUSTSEC-2021-0060.html) - [RUSTSEC-2022-0090](https://rustsec.org/advisories/RUSTSEC-2022-0090.html) - [RUSTSEC-2022-0092](https://rustsec.org/advisories/RUSTSEC-2022-0092.html) - [RUSTSEC-2020-0168](https://rustsec.org/advisories/RUSTSEC-2020-0168.html) - [RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) --------- Signed-off-by: ozkanonur <work@onurozkan.dev>
KomodoPlatform · Jun 8, 2023 · 2789a1b · 2789a1b
1 parent b48d73e
commit 2789a1b
Show file tree

Hide file tree

Showing 37 changed files with 312 additions and 465 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/mm2src/coins/Cargo.toml b/mm2src/coins/Cargo.toml
@@ -76,7 +76,7 @@ prost = "0.10"
 protobuf = "2.20"
 rand = { version = "0.7", features = ["std", "small_rng"] }
 rlp = { version = "0.5" }
-rmp-serde = "0.14.3"
+rmp-serde = "1.1.1"
 rpc = { path = "../mm2_bitcoin/rpc" }
 rpc_task = { path = "../rpc_task" }
 script = { path = "../mm2_bitcoin/script" }
@@ -124,7 +124,7 @@ web-sys = { version = "0.3.55", features = ["console", "Headers", "Request", "Re
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 dirs = { version = "1" }
 bitcoin = "0.29"
-hyper = { version = "0.14.11", features = ["client", "http2", "server", "tcp"] }
+hyper = { version = "0.14.26", features = ["client", "http2", "server", "tcp"] }
 # using webpki-tokio to avoid rejecting valid certificates
 # got "invalid certificate: UnknownIssuer" for https://ropsten.infura.io on iOS using default-features
 hyper-rustls = { version = "0.23", default-features = false, features = ["http1", "http2", "webpki-tokio"] }
@@ -140,10 +140,10 @@ tokio = { version = "1.20" }
 tokio-rustls = { version = "0.23" }
 tonic = { version = "0.7", features = ["tls", "tls-webpki-roots", "compression"] }
 webpki-roots = { version = "0.22" }
-zcash_client_backend = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.0.0" }
-zcash_client_sqlite = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.0.0" }
-zcash_primitives = { features = ["transparent-inputs"], git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.0.0" }
-zcash_proofs = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.0.0" }
+zcash_client_backend = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.3.0" }
+zcash_client_sqlite = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.3.0" }
+zcash_primitives = { features = ["transparent-inputs"], git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.3.0" }
+zcash_proofs = { git = "https://github.com/KomodoPlatform/librustzcash.git", tag = "k-1.3.0" }
 
 [target.'cfg(windows)'.dependencies]
 winapi = "0.3"

diff --git a/mm2src/coins/hd_wallet_storage/sqlite_storage.rs b/mm2src/coins/hd_wallet_storage/sqlite_storage.rs
@@ -1,9 +1,11 @@
+#![allow(deprecated)] // TODO: remove this once rusqlite is >= 0.29
+
 use crate::hd_wallet_storage::{HDAccountStorageItem, HDWalletId, HDWalletStorageError, HDWalletStorageInternalOps,
                                HDWalletStorageResult};
 use async_trait::async_trait;
 use common::async_blocking;
 use db_common::owned_named_params;
-use db_common::sqlite::rusqlite::{Connection, Error as SqlError, Row, NO_PARAMS};
+use db_common::sqlite::rusqlite::{Connection, Error as SqlError, Row};
 use db_common::sqlite::{query_single_row_with_named_params, AsSqlNamedParams, OwnedSqlNamedParams, SqliteConnShared,
                         SqliteConnWeak};
 use derive_more::Display;
@@ -228,7 +230,7 @@ impl HDWalletSqliteStorage {
     async fn init_tables(&self) -> HDWalletStorageResult<()> {
         let conn_shared = self.get_shared_conn()?;
         let conn = Self::lock_conn_mutex(&conn_shared)?;
-        conn.execute(CREATE_HD_ACCOUNT_TABLE, NO_PARAMS)
+        conn.execute(CREATE_HD_ACCOUNT_TABLE, [])
             .map(|_| ())
             .map_to_mm(HDWalletStorageError::from)
     }
@@ -280,7 +282,7 @@ pub(super) async fn get_all_storage_items(ctx: &MmArc) -> Vec<HDAccountStorageIt
     let conn = ctx.shared_sqlite_conn();
     let mut statement = conn.prepare(SELECT_ALL_ACCOUNTS).unwrap();
     statement
-        .query_map(NO_PARAMS, |row: &Row<'_>| HDAccountStorageItem::try_from(row))
+        .query_map([], |row: &Row<'_>| HDAccountStorageItem::try_from(row))
         .unwrap()
         .collect::<Result<Vec<_>, _>>()
         .unwrap()

diff --git a/mm2src/coins/lightning.rs b/mm2src/coins/lightning.rs
@@ -1402,7 +1402,7 @@ impl MmCoin for LightningCoin {
             Some(amt_or_err) => log_err_and_return_false!(amt_or_err),
             None => return true,
         };
-        let protocol_info = match info.as_ref().map(rmp_serde::from_read_ref::<_, LightningProtocolInfo>) {
+        let protocol_info = match info.as_ref().map(|t| rmp_serde::from_slice::<LightningProtocolInfo>(t)) {
             Some(info_or_err) => log_err_and_return_false!(info_or_err),
             None => return false,
         };

diff --git a/mm2src/coins/lightning/ln_sql.rs b/mm2src/coins/lightning/ln_sql.rs
@@ -1,11 +1,13 @@
+#![allow(deprecated)] // TODO: remove this once rusqlite is >= 0.29
+
 use crate::lightning::ln_db::{ChannelType, ChannelVisibility, ClosedChannelsFilter, DBChannelDetails,
                               DBPaymentsFilter, GetClosedChannelsResult, GetPaymentsResult, HTLCStatus, LightningDB,
                               PaymentInfo, PaymentType};
 use async_trait::async_trait;
 use common::{async_blocking, now_sec_i64, PagingOptionsEnum};
 use db_common::owned_named_params;
 use db_common::sqlite::rusqlite::types::Type;
-use db_common::sqlite::rusqlite::{params, Error as SqlError, Row, ToSql, NO_PARAMS};
+use db_common::sqlite::rusqlite::{params, Error as SqlError, Row, ToSql};
 use db_common::sqlite::sql_builder::SqlBuilder;
 use db_common::sqlite::{h256_option_slice_from_row, h256_slice_from_row, offset_by_id, query_single_row,
                         sql_text_conversion_err, string_from_row, validate_table_name, AsSqlNamedParams,
@@ -626,8 +628,8 @@ impl LightningDB for SqliteLightningDB {
         let sql_payments_history = create_payments_history_table_sql(self.db_ticker.as_str())?;
         async_blocking(move || {
             let conn = sqlite_connection.lock().unwrap();
-            conn.execute(&sql_channels_history, NO_PARAMS).map(|_| ())?;
-            conn.execute(&sql_payments_history, NO_PARAMS).map(|_| ())?;
+            conn.execute(&sql_channels_history, []).map(|_| ())?;
+            conn.execute(&sql_payments_history, []).map(|_| ())?;
             Ok(())
         })
         .await
@@ -803,7 +805,7 @@ impl LightningDB for SqliteLightningDB {
             let mut total_builder = sql_builder.clone();
             total_builder.count("id");
             let total_sql = total_builder.sql().expect("valid sql");
-            let total: isize = conn.query_row(&total_sql, NO_PARAMS, |row| row.get(0))?;
+            let total: isize = conn.query_row(&total_sql, [], |row| row.get(0))?;
             let total = total.try_into().expect("count should be always above zero");
 
             let offset = match paging {
@@ -988,7 +990,7 @@ impl LightningDB for SqliteLightningDB {
             let mut total_builder = sql_builder.clone();
             total_builder.count("id");
             let total_sql = total_builder.sql().expect("valid sql");
-            let total: isize = conn.query_row(&total_sql, NO_PARAMS, |row| row.get(0))?;
+            let total: isize = conn.query_row(&total_sql, [], |row| row.get(0))?;
             let total = total.try_into().expect("count should be always above zero");
 
             let offset = match paging {

diff --git a/mm2src/coins/tx_history_storage/sql_tx_history_storage_v2.rs b/mm2src/coins/tx_history_storage/sql_tx_history_storage_v2.rs
@@ -6,7 +6,7 @@ use async_trait::async_trait;
 use common::{async_blocking, PagingOptionsEnum};
 use db_common::sql_build::*;
 use db_common::sqlite::rusqlite::types::Type;
-use db_common::sqlite::rusqlite::{Connection, Error as SqlError, Row, NO_PARAMS};
+use db_common::sqlite::rusqlite::{Connection, Error as SqlError, Row};
 use db_common::sqlite::{query_single_row, string_from_row, validate_table_name, CHECK_TABLE_EXISTS_SQL};
 use mm2_core::mm_ctx::MmArc;
 use mm2_err_handle::prelude::*;
@@ -402,12 +402,12 @@ impl TxHistoryStorage for SqliteTxHistoryStorage {
         async_blocking(move || {
             let conn = selfi.0.lock().unwrap();
 
-            conn.execute(&sql_history, NO_PARAMS).map(|_| ())?;
-            conn.execute(&sql_addr, NO_PARAMS).map(|_| ())?;
-            conn.execute(&sql_cache, NO_PARAMS).map(|_| ())?;
+            conn.execute(&sql_history, []).map(|_| ())?;
+            conn.execute(&sql_addr, []).map(|_| ())?;
+            conn.execute(&sql_cache, []).map(|_| ())?;
 
-            conn.execute(&sql_history_index, NO_PARAMS).map(|_| ())?;
-            conn.execute(&sql_addr_index, NO_PARAMS).map(|_| ())?;
+            conn.execute(&sql_history_index, []).map(|_| ())?;
+            conn.execute(&sql_addr_index, []).map(|_| ())?;
             Ok(())
         })
         .await
@@ -466,12 +466,12 @@ impl TxHistoryStorage for SqliteTxHistoryStorage {
                     token_id,
                     tx_json,
                 ];
-                sql_transaction.execute(&insert_tx_in_history_sql(&wallet_id)?, &params)?;
+                sql_transaction.execute(&insert_tx_in_history_sql(&wallet_id)?, params)?;
 
                 let addresses: FilteringAddresses = tx.from.into_iter().chain(tx.to.into_iter()).collect();
                 for address in addresses {
                     let params = [internal_id.clone(), address];
-                    sql_transaction.execute(&insert_tx_address_sql(&wallet_id)?, &params)?;
+                    sql_transaction.execute(&insert_tx_address_sql(&wallet_id)?, params)?;
                 }
             }
             sql_transaction.commit()?;
@@ -495,9 +495,9 @@ impl TxHistoryStorage for SqliteTxHistoryStorage {
             let mut conn = selfi.0.lock().unwrap();
             let sql_transaction = conn.transaction()?;
 
-            sql_transaction.execute(&remove_tx_addr_sql, &params)?;
+            sql_transaction.execute(&remove_tx_addr_sql, params.clone())?;
 
-            let rows_num = sql_transaction.execute(&remove_tx_history_sql, &params)?;
+            let rows_num = sql_transaction.execute(&remove_tx_history_sql, params)?;
             let remove_tx_result = if rows_num > 0 {
                 RemoveTxResult::TxRemoved
             } else {
@@ -532,7 +532,7 @@ impl TxHistoryStorage for SqliteTxHistoryStorage {
 
         async_blocking(move || {
             let conn = selfi.0.lock().unwrap();
-            query_single_row(&conn, &sql, NO_PARAMS, block_height_from_row).map_to_mm(SqlError::from)
+            query_single_row(&conn, &sql, [], block_height_from_row).map_to_mm(SqlError::from)
         })
         .await
     }

diff --git a/mm2src/coins/utxo/utxo_block_header_storage/sql_block_header_storage.rs b/mm2src/coins/utxo/utxo_block_header_storage/sql_block_header_storage.rs
@@ -2,7 +2,7 @@ use async_trait::async_trait;
 use chain::BlockHeader;
 use common::async_blocking;
 use db_common::{sqlite::rusqlite::Error as SqlError,
-                sqlite::rusqlite::{Connection, Row, ToSql, NO_PARAMS},
+                sqlite::rusqlite::{params_from_iter, Connection, Row, ToSql},
                 sqlite::string_from_row,
                 sqlite::validate_table_name,
                 sqlite::CHECK_TABLE_EXISTS_SQL};
@@ -110,8 +110,7 @@ fn query_single_row<T, P, F>(
     map_fn: F,
 ) -> Result<Option<T>, BlockHeaderStorageError>
 where
-    P: IntoIterator,
-    P::Item: ToSql,
+    P: db_common::sqlite::rusqlite::Params,
     F: FnOnce(&Row<'_>) -> Result<T, SqlError>,
 {
     db_common::sqlite::query_single_row(conn, query, params, map_fn).map_err(|e| BlockHeaderStorageError::QueryError {
@@ -129,12 +128,12 @@ impl BlockHeaderStorageOps for SqliteBlockHeadersStorage {
 
         async_blocking(move || {
             let conn = selfi.conn.lock().unwrap();
-            conn.execute(&sql_cache, NO_PARAMS).map(|_| ()).map_err(|e| {
-                BlockHeaderStorageError::InitializationError {
+            conn.execute(&sql_cache, [])
+                .map(|_| ())
+                .map_err(|e| BlockHeaderStorageError::InitializationError {
                     coin,
                     reason: e.to_string(),
-                }
-            })?;
+                })?;
             Ok(())
         })
         .await
@@ -246,7 +245,7 @@ impl BlockHeaderStorageOps for SqliteBlockHeadersStorage {
 
         async_blocking(move || {
             let conn = selfi.conn.lock().unwrap();
-            query_single_row(&conn, &sql, NO_PARAMS, |row| row.get::<_, i64>(0))
+            query_single_row(&conn, &sql, [], |row| row.get::<_, i64>(0))
         })
         .await
         .map_err(|e| BlockHeaderStorageError::GetFromStorageError {
@@ -271,7 +270,7 @@ impl BlockHeaderStorageOps for SqliteBlockHeadersStorage {
 
         let maybe_header_raw = async_blocking(move || {
             let conn = selfi.conn.lock().unwrap();
-            query_single_row(&conn, &sql, NO_PARAMS, string_from_row)
+            query_single_row(&conn, &sql, [], string_from_row)
         })
         .await
         .map_err(|e| BlockHeaderStorageError::GetFromStorageError {
@@ -320,7 +319,7 @@ impl BlockHeaderStorageOps for SqliteBlockHeadersStorage {
 
         async_blocking(move || {
             let conn = selfi.conn.lock().unwrap();
-            conn.execute(&sql, &params)
+            conn.execute(&sql, params_from_iter(params.iter()))
         })
         .await
         .map_err(|err| BlockHeaderStorageError::UnableToDeleteHeaders {
@@ -337,7 +336,7 @@ impl BlockHeaderStorageOps for SqliteBlockHeadersStorage {
         let table_name = get_table_name_and_validate(&self.ticker).unwrap();
         let sql = format!("SELECT COUNT(block_height) FROM {table_name};");
         let conn = self.conn.lock().unwrap();
-        let rows_count: u32 = conn.query_row(&sql, NO_PARAMS, |row| row.get(0)).unwrap();
+        let rows_count: u32 = conn.query_row(&sql, [], |row| row.get(0)).unwrap();
         if rows_count == 0 {
             return Ok(());
         };

diff --git a/mm2src/coins/utxo/utxo_common.rs b/mm2src/coins/utxo/utxo_common.rs
@@ -3548,7 +3548,7 @@ pub fn coin_protocol_info<T: UtxoCommonOps>(coin: &T) -> Vec<u8> {
 
 pub fn is_coin_protocol_supported<T: UtxoCommonOps>(coin: &T, info: &Option<Vec<u8>>) -> bool {
     match info {
-        Some(format) => rmp_serde::from_read_ref::<_, UtxoAddressFormat>(format).is_ok(),
+        Some(format) => rmp_serde::from_slice::<UtxoAddressFormat>(format).is_ok(),
         None => !coin.addr_format().is_segwit(),
     }
 }

diff --git a/mm2src/coins/z_coin.rs b/mm2src/coins/z_coin.rs
@@ -36,7 +36,7 @@ use common::{async_blocking, calc_total_pages, log, one_thousand_u32, sha256_dig
 use crypto::privkey::{key_pair_from_secret, secp_privkey_from_hash};
 use crypto::{Bip32DerPathOps, GlobalHDAccountArc, StandardHDPathToCoin};
 use db_common::sqlite::offset_by_id;
-use db_common::sqlite::rusqlite::{Error as SqlError, Row, NO_PARAMS};
+use db_common::sqlite::rusqlite::{Error as SqlError, Row};
 use db_common::sqlite::sql_builder::{name, SqlBuilder, SqlName};
 use futures::compat::Future01CompatExt;
 use futures::lock::Mutex as AsyncMutex;
@@ -488,7 +488,7 @@ impl ZCoin {
                 .field("COUNT(id_tx)")
                 .sql()
                 .expect("valid SQL");
-            let total_tx_count = conn.query_row(&total_sql, NO_PARAMS, |row| row.get(0))?;
+            let total_tx_count = conn.query_row(&total_sql, [], |row| row.get(0))?;
 
             let mut sql_builder = SqlBuilder::select_from(name!(TRANSACTIONS_TABLE; "txes"));
             sql_builder
@@ -526,7 +526,7 @@ impl ZCoin {
 
             let sql_items = conn
                 .prepare(&sql)?
-                .query_map(NO_PARAMS, ZCoinSqlTxHistoryItem::try_from_sql_row)?
+                .query_map([], ZCoinSqlTxHistoryItem::try_from_sql_row)?
                 .collect::<Result<Vec<_>, _>>()?;
 
             Ok(SqlTxHistoryRes {

diff --git a/mm2src/coins/z_coin/z_rpc.rs b/mm2src/coins/z_coin/z_rpc.rs
@@ -4,7 +4,7 @@ use async_trait::async_trait;
 use common::executor::{spawn_abortable, AbortOnDropHandle, Timer};
 use common::log::{debug, error, info, LogOnError};
 use common::{async_blocking, Future01CompatExt};
-use db_common::sqlite::rusqlite::{params, Connection, Error as SqliteError, NO_PARAMS};
+use db_common::sqlite::rusqlite::{params, Connection, Error as SqliteError};
 use db_common::sqlite::{query_single_row, run_optimization_pragmas};
 use futures::channel::mpsc::{channel, Receiver as AsyncReceiver, Sender as AsyncSender};
 use futures::channel::oneshot::{channel as oneshot_channel, Sender as OneshotSender};
@@ -284,7 +284,7 @@ impl BlockDb {
             height INTEGER PRIMARY KEY,
             data BLOB NOT NULL
         )",
-            NO_PARAMS,
+            [],
         )?;
         Ok(BlockDb(conn))
     }
@@ -336,7 +336,7 @@ impl BlockDb {
         Ok(query_single_row(
             &self.0,
             "SELECT height FROM compactblocks ORDER BY height DESC LIMIT 1",
-            NO_PARAMS,
+            [],
             |row| row.get(0),
         )?
         .unwrap_or(0))

diff --git a/mm2src/common/Cargo.toml b/mm2src/common/Cargo.toml
@@ -19,7 +19,7 @@ backtrace = "0.3"
 bytes = "1.1"
 cfg-if = "1.0"
 crossbeam = "0.8"
-env_logger = "0.9.0"
+env_logger = "0.9.3"
 derive_more = "0.99"
 fnv = "1.0.6"
 futures01 = { version = "0.1", package = "futures" }
@@ -48,7 +48,6 @@ instant = { version = "0.1.12" }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 chrono = { version = "0.4", features = ["wasmbind"] }
-getrandom = { version = "0.2.9", features = ["js"] } # see https://docs.rs/getrandom/0.2.0/getrandom/#webassembly-support
 gstuff = { version = "0.7", features = ["nightly"] }
 instant = { version = "0.1.12", features = ["wasm-bindgen"] }
 js-sys = "0.3.27"
@@ -63,7 +62,7 @@ web-sys = { version = "0.3.55", features = ["console", "CloseEvent", "DomExcepti
 anyhow = "1.0"
 chrono = "0.4"
 gstuff = { version = "0.7", features = ["nightly"] }
-hyper = { version = "0.14.11", features = ["client", "http2", "server", "tcp"] }
+hyper = { version = "0.14.26", features = ["client", "http2", "server", "tcp"] }
 # using webpki-tokio to avoid rejecting valid certificates
 # got "invalid certificate: UnknownIssuer" for https://ropsten.infura.io on iOS using default-features
 hyper-rustls = { version = "0.23", default-features = false, features = ["http1", "http2", "webpki-tokio"] }

diff --git a/mm2src/db_common/Cargo.toml b/mm2src/db_common/Cargo.toml
@@ -13,5 +13,5 @@ log = "0.4.17"
 uuid = { version = "1.2.2", features = ["fast-rng", "serde", "v4"] }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
-rusqlite = { version = "0.24.2", features = ["bundled"] }
+rusqlite = { version = "0.28", features = ["bundled"] }
 sql-builder = "3.1.1"
diff --git a/mm2src/db_common/src/sql_create.rs b/mm2src/db_common/src/sql_create.rs
@@ -3,7 +3,7 @@ use crate::sql_value::{FromQuoted, SqlValue};
 use crate::sqlite::StringError;
 use common::fmt::{WriteSafe, WriteSafeJoin};
 use common::write_safe;
-use rusqlite::{Connection, Error as SqlError, Result as SqlResult, NO_PARAMS};
+use rusqlite::{Connection, Error as SqlError, Result as SqlResult};
 use std::fmt;
 
 pub enum SqlType {
@@ -144,7 +144,7 @@ impl<'a> SqlCreateTable<'a> {
     }
 
     pub fn create(self) -> SqlResult<()> {
-        self.conn.execute(&self.sql()?, NO_PARAMS)?;
+        self.conn.execute(&self.sql()?, [])?;
         Ok(())
     }