diff --git a/requirements.txt b/requirements.txt index 357dfe633..60b23150c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,8 @@ +asgiref==3.2.7 attrs==19.3.0 beautifulsoup4==4.7.1 +cached-property==1.5.1 +cffi==1.14.0 dephell-specifier==0.2.1 dj-database-url==0.4.2 Django==3.0.3 @@ -15,14 +18,18 @@ pluggy==0.13.1 psycopg2==2.8.4 py==1.8.0 pycodestyle==2.5.0 +pycparser==2.20 +pygit2==1.2.0 pyparsing==2.4.5 pytest==5.3.2 pytest-dependency==0.4.0 pytest-django==3.7.0 pytest-mock==1.13.0 +pytoml==0.1.21 pytz==2019.3 PyYAML==5.3 saneyaml==0.4 +schema==0.7.1 six==1.13.0 soupsieve==1.9.5 sqlparse==0.3.0 @@ -30,5 +37,3 @@ tqdm==4.41.1 wcwidth==0.1.7 whitenoise==5.0.1 zipp==0.6.0 -pytoml==0.1.21 -schema==0.7.1 diff --git a/vulnerabilities/data_source.py b/vulnerabilities/data_source.py index 7644896a1..5e9391bb6 100644 --- a/vulnerabilities/data_source.py +++ b/vulnerabilities/data_source.py @@ -20,18 +20,58 @@ # VulnerableCode is a free software code scanning tool from nexB Inc. and others. # Visit https://github.com/nexB/vulnerablecode/ for support and download. +import dataclasses +import os +import shutil +import tempfile from datetime import datetime +from pathlib import Path from typing import Any from typing import ContextManager +from typing import List from typing import Mapping from typing import Optional from typing import Sequence -import dataclasses +from typing import Set +import pygit2 from packageurl import PackageURL @dataclasses.dataclass +class Advisory: + """ + This data class expresses the contract between data sources and the import runner. + Data sources are expected to be usable as context managers and generators, yielding batches of Advisory sequences. + + NB: There are two representations for package URLs that are commonly used by code consuming this data class; + PackageURL objects and strings. As a convention, the former is referred to in variable names, etc. as + "package_urls" and the latter as "purls". + """ + summary: str + impacted_package_urls: Sequence[PackageURL] + resolved_package_urls: Sequence[PackageURL] = dataclasses.field(default_factory=list) + references: Sequence[str] = dataclasses.field(default_factory=list) + cve_id: Optional[str] = None + + @property + def impacted_purls(self) -> Set[str]: + return {str(p) for p in self.impacted_package_urls} + + @property + def resolved_purls(self) -> Set[str]: + return {str(p) for p in self.resolved_package_urls} + + +class InvalidConfigurationError(Exception): + pass + + +@dataclasses.dataclass +class DataSourceConfiguration: + batch_size: int + + class DataSource(ContextManager): """ This class defines how importers consume advisories from a data source. @@ -39,15 +79,41 @@ class DataSource(ContextManager): It makes a distinction between newly added records since the last run and modified records. This allows the import logic to pick appropriate database operations. """ - batch_size: int - cutoff_date: Optional[datetime] = None - config: Optional[Mapping[str, Any]] = dataclasses.field(default_factory=dict) + + CONFIG_CLASS = DataSourceConfiguration + + def __init__( + self, + batch_size: int, + last_run_date: Optional[datetime] = None, + cutoff_date: Optional[datetime] = None, + config: Optional[Mapping[str, Any]] = None, + ): + """ + Create a DataSource instance. + + :param batch_size: Maximum number of records to return from added_advisories() and updated_advisories() + :param last_run_date: Optional timestamp when this data source was last inspected + :param cutoff_date: Optional timestamp, records older than this will be ignored + :param config: Optional dictionary with subclass-specific configuration + """ + config = config or {} + try: + self.config = self.__class__.CONFIG_CLASS(batch_size, **config) + # These really should be declared in DataSourceConfiguration above but that would prevent DataSource + # subclasses from declaring mandatory parameters (i.e. positional arguments) + setattr(self.config, 'last_run_date', last_run_date) + setattr(self.config, 'cutoff_date', cutoff_date) + except Exception as e: + raise InvalidConfigurationError(str(e)) + + self.validate_configuration() def __enter__(self): """ Subclasses acquire per-run resources, such as network connections, file downloads, etc. here. """ - return self + pass def __exit__(self, exc_type, exc_val, exc_tb): """ @@ -55,45 +121,222 @@ def __exit__(self, exc_type, exc_val, exc_tb): """ pass - def added_advisories(self): + def validate_configuration(self) -> None: + """ + Subclasses can perform more complex validation than what is handled by data classes and their type annotations. + + This method is called in the constructor. It should raise InvalidConfigurationError with a human-readable + message. + """ + pass + + def added_advisories(self) -> List[Advisory]: """ Subclasses yield batch_size sized batches of Advisory objects that have been added to the data source since self.cutoff_date. """ raise StopIteration - def updated_advisories(self): + def updated_advisories(self) -> List[Advisory]: """ Subclasses yield batch_size sized batches of Advisory objects that have been modified since self.cutoff_date. NOTE: Data sources that do not enable detection of changes to existing records vs added records must only - implement this method, not new_records(). The ImportRunner relies on this contract to decide between + implement this method, not added_advisories(). The ImportRunner relies on this contract to decide between insert and update operations. """ raise StopIteration + def error(self, msg: str) -> None: + """ + Helper method for raising InvalidConfigurationError with the class name in the message. + """ + raise InvalidConfigurationError(f'{type(self).__name__}: {msg}') + @dataclasses.dataclass -class Advisory: - """ - This data class expresses the contract between data sources and the import runner. - Data sources are expected to be usable as context managers and generators, yielding batches of Advisory sequences. +class GitDataSourceConfiguration(DataSourceConfiguration): + repository_url: str + branch: Optional[str] = None + create_working_directory: bool = True + remove_working_directory: bool = True + working_directory: Optional[str] = None - NB: There are two representations for package URLs that are commonly used by code consuming this data class; - PackageURL objects and strings. As a convention, the former is referred to in variable names, etc. as - "package_urls" and the latter as "purls". - """ - summary: str - impacted_package_urls: Sequence[PackageURL] - resolved_package_urls: Sequence[PackageURL] = dataclasses.field(default_factory=list) - references: Sequence[str] = dataclasses.field(default_factory=list) - cve_id: Optional[str] = None - @property - def impacted_purls(self): - return {str(p) for p in self.impacted_package_urls} +class GitDataSource(DataSource): + CONFIG_CLASS = GitDataSourceConfiguration - @property - def resolved_purls(self): - return {str(p) for p in self.resolved_package_urls} + def validate_configuration(self) -> None: + + if not self.config.create_working_directory and self.config.working_directory is None: + self.error('"create_working_directory" is not set but "working_directory" is set to the default, which ' + 'calls tempfile.mkdtemp()') + + if not self.config.create_working_directory and not os.path.exists(self.config.working_directory): + self.error('"working_directory" does not contain an existing directory and "create_working_directory" is ' + 'not set') + + if not self.config.remove_working_directory and self.config.working_directory is None: + self.error('"remove_working_directory" is not set and "working_directory" is set to the default, which ' + 'calls tempfile.mkdtemp()') + + def __enter__(self): + self._ensure_working_directory() + self._ensure_repository() + + def __exit__(self, exc_type, exc_val, exc_tb): + if self.config.remove_working_directory: + shutil.rmtree(self.config.working_directory) + + def added_advisories(self) -> List[Advisory]: + raise NotImplementedError + + def updated_advisories(self) -> List[Advisory]: + raise NotImplementedError + + # TODO Sort out cutoff_date vs last_run_date. The former is "no entries older than one year", + # TODO not "the importer was last run on" + def added_files( + self, + subdir: str = None, + recursive: bool = False, + file_ext: Optional[str] = None + ) -> List[str]: + + if subdir is None: + working_dir = self.config.working_directory + else: + working_dir = os.path.join(self.config.working_directory, subdir) + + path = Path(working_dir) + + if self.config.cutoff_date is None: + if recursive: + glob = '**/*' + else: + glob = '*' + + if file_ext: + glob = f'{glob}.{file_ext}' + + return [str(p.relative_to(working_dir)) for p in path.glob(glob) if p.is_file()] + + return self._collect_files(pygit2.GIT_DELTA_ADDED, subdir, recursive, file_ext) + + def updated_files( + self, + subdir: str = None, + recursive: bool = False, + file_ext: str = None + ) -> List[str]: + + if self.config.cutoff_date is None: + return [] + + return self._collect_files(pygit2.GIT_DELTA_MODIFIED, subdir, recursive, file_ext) + + # TODO Just filtering on the two status values for "added" and "modified" is too simplistic. + # TODO This does not cover file renames, copies & deletions. + def _collect_files( + self, + delta_status: int, + subdir: Optional[str], + recursive: bool, + file_ext: Optional[str], + ) -> List[str]: + + cutoff = 0 if self.config.cutoff_date is None else int(self.config.cutoff_date.timestamp()) + previous_commit = None + files = [] + + for commit in self._repo.walk(self._repo.head.target, pygit2.GIT_SORT_TIME): + if previous_commit is None: + previous_commit = commit + continue + + deltas = commit.tree.diff_to_tree(previous_commit.tree).deltas + for d in deltas: + path = d.new_file.path + + if d.status == delta_status and not d.is_binary and _include_file(path, subdir, recursive, file_ext): + files.append(path) + + if commit.commit_time < cutoff: + break + + previous_commit = commit + + return files + + def _ensure_working_directory(self) -> None: + if self.config.working_directory is None: + self.config.working_directory = tempfile.mkdtemp() + elif self.config.create_working_directory and not os.path.exists(self.config.working_directory): + os.mkdir(self.config.working_directory) + + def _ensure_repository(self) -> None: + repodir = pygit2.discover_repository(self.config.working_directory) + if repodir is None: + self._clone_repository() + return + + self._repo = pygit2.Repository(repodir) + + if self.config.branch is None: + self.config.branch = self._repo.head.shorthand + branch = self._repo.branches[self.config.branch] + + if not branch.is_checked_out(): + self._repo.checkout(branch) + + remote = self._find_or_add_remote() + progress = remote.fetch() + if progress.received_objects == 0: + return + + remote_branch = self._repo.branches[f'{remote.name}/{self.config.branch}'] + branch.set_target(remote_branch.target) + self._repo.checkout(branch, strategy=pygit2.GIT_CHECKOUT_FORCE) + + def _clone_repository(self): + kwargs = {} + if getattr(self, 'branch', False): + kwargs['checkout_branch'] = self.config.branch + + self._repo = pygit2.clone_repository(self.config.repository_url, self.config.working_directory, **kwargs) + + def _find_or_add_remote(self): + remote = None + for r in self._repo.remotes: + if r.url == self.config.repository_url: + remote = r + break + + if remote is None: + remote = self._repo.remotes.create('added_by_vulnerablecode', self.config.repository_url) + + return remote + + +def _include_file( + path: str, + subdir: Optional[str] = None, + recursive: bool = False, + file_ext: Optional[str] = None, +) -> bool: + match = True + + if subdir: + if not subdir.endswith(os.path.sep): + subdir = f'{subdir}{os.path.sep}' + + match = match and path.startswith(subdir) + + if not recursive: + match = match and (os.path.sep not in path[len(subdir or ''):]) + + if file_ext: + match = match and path.endswith(f'.{file_ext}') + + return match diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py index 7e72da1f8..bd22492d1 100644 --- a/vulnerabilities/models.py +++ b/vulnerabilities/models.py @@ -124,4 +124,6 @@ def make_data_source(self, cutoff_date=None, batch_size=None) -> DataSource: cd = cutoff_date or self.last_run importers_module = importlib.import_module('vulnerabilities.importers') klass = getattr(importers_module, self.data_source) - return klass(cutoff_date=cd, batch_size=batch_size, config=self.data_source_cfg) + ds = klass(cutoff_date=cd, batch_size=batch_size, config=self.data_source_cfg) + ds.apply_config() + return ds diff --git a/vulnerabilities/tests/conftest.py b/vulnerabilities/tests/conftest.py index bf5144ad3..fcd4be922 100644 --- a/vulnerabilities/tests/conftest.py +++ b/vulnerabilities/tests/conftest.py @@ -59,3 +59,13 @@ def setArchLinuxData(db): test_data = json.load(f) archlinux_dump(test_data) + + +@pytest.fixture +def no_mkdir(monkeypatch): + monkeypatch.delattr('os.mkdir') + + +@pytest.fixture +def no_rmtree(monkeypatch): + monkeypatch.delattr('shutil.rmtree') diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/.github/workflows/validate.yml b/vulnerabilities/tests/test_data/rust/advisory-db/.github/workflows/validate.yml new file mode 100644 index 000000000..b9a56a722 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/.github/workflows/validate.yml @@ -0,0 +1,28 @@ +name: Validate + +on: + pull_request: {} + push: + branches: master + +jobs: + lint: + name: Lint advisories + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + + - name: Cache cargo bin + uses: actions/cache@v1 + with: + path: ~/.cargo/bin + key: rustsec-admin-v0.1.1 + + - name: Install rustsec-admin + run: | + if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then + cargo install rustsec-admin + fi + + - name: Lint advisories + run: rustsec-admin lint diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/CODE_OF_CONDUCT.md b/vulnerabilities/tests/test_data/rust/advisory-db/CODE_OF_CONDUCT.md new file mode 100644 index 000000000..3b8032720 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/CODE_OF_CONDUCT.md @@ -0,0 +1,74 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at bascule@gmail.com. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/CONTRIBUTING.md b/vulnerabilities/tests/test_data/rust/advisory-db/CONTRIBUTING.md new file mode 100644 index 000000000..c07dfa9cf --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/CONTRIBUTING.md @@ -0,0 +1,63 @@ +# Reporting Vulnerabilities + +To add an advisory to the RustSec database, open a [Pull Request] against +this repository containing the new advisory: + +### Required Steps + +1. Create a file named `RUSTSEC-0000-0000.toml` in the `crates/` + subdirectory of this repository (you may need to create it if it doesn't exist) +2. Copy and paste the [TOML advisory template] from the README.md file in this repo. + Delete the comments and additional whitespace, and fill it out with the + details of the advisory. +3. Open a [Pull Request]. After being reviewed your advisory will be assigned + a `RUSTSEC-*` advisory identifier and be published to the database. + +### Optional Steps + +Feel free to do either or both of these as you see fit (we recommend you do both): + +4. [Yank] the affected versions of the crate. +5. Request a CVE for your vulnerability: https://iwantacve.org/ + +## Criteria + +RustSec is a database of security vulnerabilities. The following are +examples of qualifying vulnerabilities: + +* Code Execution (i.e. RCE) +* Memory Corruption +* Privilege Escalation (either at OS level or inside of an app/library) +* File Disclosure / Directory Traversal +* Web Security (e.g. XSS, CSRF) +* Format Injection, e.g. shell escaping, SQL injection (and also XSS) +* Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage) +* Covert Channels (e.g. Spectre, Meltdown) +* Panics in code advertised as "panic-free" (particularly if useful for network DoS attacks) + +When in doubt, please open a PR. + +## FAQ + +**Q: Do I need to be owner of a crate to file an advisory?** + +A: No, anyone can file an advisory against any crate. The legitimacy of + vulnerabilities will be determined prior to merging. If a vulnerability + turns out to be fake it will be removed from the database. + +**Q: Can I file an advisory without creating a pull request?** + +A: Yes, instead of creating a full advisory yourself you can also + [open an issue on the advisory-db repo](https://github.com/RustSec/advisory-db/issues) + or email information about the vulnerability to + [rustsec@googlegroups.com](mailto:rustsec@googlegroups.com). + +**Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?** + +A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes + have been lifted and details have been disclosed to the public prior to filing + them against RustSec. + +[Pull Request]: https://github.com/RustSec/advisory-db/pulls +[TOML advisory template]: https://github.com/RustSec/advisory-db#advisory-format +[Yank]: https://doc.rust-lang.org/cargo/commands/cargo-yank.html diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/LICENSE.txt b/vulnerabilities/tests/test_data/rust/advisory-db/LICENSE.txt new file mode 100644 index 000000000..5149a95c2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/LICENSE.txt @@ -0,0 +1,11 @@ +All code and data in the RustSec advisory database repository is dedicated to +the public domain: + +https://creativecommons.org/publicdomain/zero/1.0/ + +By committing to this repository, you hereby waive all rights to the work +worldwide under copyright law, including all related and neighboring rights, to +the extent allowed by law. + +You can copy, modify, distribute, and retransmit any information in this +repository, even for commercial purposes, without asking permission. diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/README.md b/vulnerabilities/tests/test_data/rust/advisory-db/README.md new file mode 100644 index 000000000..9da1d5920 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/README.md @@ -0,0 +1,128 @@ +# RustSec Advisory Database + +[![Build Status][build-image]][build-link] +![Maintained: Q1 2020][maintained-image] +[![Gitter Chat][gitter-image]][gitter-link] + +The RustSec Advisory Database is a repository of security advisories filed +against Rust crates published via https://crates.io + +Advisory metadata is stored in [TOML] format (see below). The following tools +consume the data and can be used for auditing and reporting (send PRs to add yours): + +* [cargo-audit]: Audit `Cargo.lock` files for crates with security vulnerabilities + +## Reporting Vulnerabilities + +To report a new vulnerability, open a pull request using the template below. +See [CONTRIBUTING.md] for more information. + + + Report Vulnerability + + +## Advisory Format + +Each advisory contains information in [TOML] format: + +```toml +# Before you submit a PR using this template, **please delete the comments** +# explaining each field, as well as any unused fields. + +[advisory] +# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN" +# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs. +id = "RUSTSEC-0000-0000" + +# Name of the affected crate (mandatory) +package = "mycrate" + +# Disclosure date of the advisory as an RFC 3339 date (mandatory) +date = "2019-10-01" + +# Single-line description of a vulnerability (mandatory) +title = "Flaw in X allows Y" + +# URL to a long-form description of this issue, e.g. a GitHub issue/PR, +# a change log entry, or a blogpost announcing the release (optional) +url = "https://github.com/mystuff/mycrate/issues/123" + +# Optional: Categories this advisory falls under. Valid categories are: +# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure" +# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation" +categories = ["crypto-failure"] + +# Optional: a Common Vulnerability Scoring System score. More information +# can be found on the CVSS website, https://www.first.org/cvss/. +#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + +# Freeform keywords which describe this vulnerability, similar to Cargo (optional) +keywords = ["ssl", "mitm"] + +# Vulnerability aliases, e.g. CVE IDs (optional but recommended) +# Request a CVE for your RustSec vulns: https://iwantacve.org/ +#aliases = ["CVE-2018-XXXX"] + +# References to related vulnerabilities (optional) +# e.g. CVE for a C library wrapped by a -sys crate) +#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"] + +# Enter a short-form description of the vulnerability here (mandatory) +description = """ +Affected versions of this crate did not properly X. + +This allows an attacker to Y. + +The flaw was corrected by Z. +""" + +# Optional: metadata which narrows the scope of what this advisory affects +[affected] +# CPU architectures impacted by this vulnerability (optional). +# Only use this if the vulnerability is specific to a particular CPU architecture, +# e.g. the vulnerability is in x86 assembly. +# For a list of CPU architecture strings, see the "platforms" crate: +# +#arch = ["x86", "x86_64"] + +# Operating systems impacted by this vulnerability (optional) +# Only use this if the vulnerable is specific to a particular OS, e.g. it was +# located in a binding to a Windows-specific API. +# For a list of OS strings, see the "platforms" crate: +# +#os = ["windows"] + +# Table of canonical paths to vulnerable functions (optional) +# mapping to which versions impacted by this advisory used that particular +# name (e.g. if the function was renamed between versions). +# The path syntax is `cratename::path::to::function`, without any +# parameters or additional information, followed by a list of version reqs. +functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] } + +# Versions which include fixes for this vulnerability (mandatory) +[versions] +patched = [">= 1.2.0"] + +# Versions which were never vulnerable (optional) +#unaffected = ["< 1.1.0"] +``` + +## License + +All content in this repository is placed in the public domain. + +[![Public Domain](http://i.creativecommons.org/p/zero/1.0/88x31.png)](https://github.com/RustSec/advisory-db/blob/master/LICENSE.txt) + +[//]: # (badges) + +[build-image]: https://github.com/rustsec/advisory-db/workflows/Validate/badge.svg +[build-link]: https://github.com/rustsec/advisory-db/actions +[maintained-image]: https://img.shields.io/maintenance/yes/2020.svg +[gitter-image]: https://badges.gitter.im/badge.svg +[gitter-link]: https://gitter.im/RustSec/Lobby + +[//]: # (general links) + +[TOML]: https://github.com/toml-lang/toml +[cargo-audit]: https://github.com/rustsec/cargo-audit +[CONTRIBUTING.md]: https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/ammonia/RUSTSEC-2019-0001.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/ammonia/RUSTSEC-2019-0001.toml new file mode 100644 index 000000000..aa6fb9d3a --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/ammonia/RUSTSEC-2019-0001.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2019-0001" +package = "ammonia" +date = "2019-04-27" +title = "Uncontrolled recursion leads to abort in HTML serialization" +url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210" +keywords = ["stack-overflow", "crash"] +description = """ +Affected versions of this crate did use recursion for serialization of HTML +DOM trees. + +This allows an attacker to cause abort due to stack overflow by providing +a pathologically nested input. + +The flaw was corrected by serializing the DOM tree iteratively instead. +""" +aliases = ["CVE-2019-15542"] + +[affected.functions] +"ammonia::clean" = ["< 2.1.0"] +"ammonia::Document::to_string" = ["< 2.1.0"] +"ammonia::Document::write_to" = ["< 2.1.0"] + +[versions] +patched = [">= 2.1.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/arrayfire/RUSTSEC-2018-0011.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/arrayfire/RUSTSEC-2018-0011.toml new file mode 100644 index 000000000..ee13eb600 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/arrayfire/RUSTSEC-2018-0011.toml @@ -0,0 +1,29 @@ +[advisory] +id = "RUSTSEC-2018-0011" +package = "arrayfire" +date = "2018-12-18" +title = "Enum repr causing potential memory corruption" +url = "https://github.com/arrayfire/arrayfire-rust/pull/177" +categories = ["memory-corruption"] +keywords = ["enum", "repr"] +description = """ +The attribute repr() added to enums to be compatible with C-FFI caused +memory corruption on MSVC toolchain. + +arrayfire crates <= version 3.5.0 do not have this issue when used with +Rust versions 1.27 or earlier. The issue only started to appear since +Rust version 1.28. + +The issue seems to be interlinked with which version of Rust is being used. + +The issue was fixed in crate 3.6.0. +""" +aliases = ["CVE-2018-20998"] + +[versions] +patched = [">= 3.6.0"] +unaffected = ["<= 3.5.0"] + +[affected] +arch = ["x86_64"] +os = ["windows"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/asn1_der/RUSTSEC-2019-0007.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/asn1_der/RUSTSEC-2019-0007.toml new file mode 100644 index 000000000..31be27236 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/asn1_der/RUSTSEC-2019-0007.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2019-0007" +package = "asn1_der" +date = "2019-06-13" +title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs" +url = "https://github.com/KizzyCode/asn1_der/issues/1" +keywords = ["dos"] +description = """ +Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks. + +This allows an attacker to trigger a SIGABRT by creating length fields that announce more bytes than the allocator can provide. + +The flaw was corrected by not preallocating memory. +""" +aliases = ["CVE-2019-15549"] + +[versions] +patched = [">= 0.6.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/base64/RUSTSEC-2017-0004.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/base64/RUSTSEC-2017-0004.toml new file mode 100644 index 000000000..af0fa6aff --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/base64/RUSTSEC-2017-0004.toml @@ -0,0 +1,23 @@ +[advisory] +id = "RUSTSEC-2017-0004" +package = "base64" +date = "2017-05-03" +url = "https://github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319" +title = "Integer overflow leads to heap-based buffer overflow in encode_config_buf" +keywords = ["memory-corruption"] +aliases = ["CVE-2017-1000430"] +description = """ +Affected versions of this crate suffered from an integer overflow bug when +calculating the size of a buffer to use when encoding base64 using the +`encode_config_buf` and `encode_config` functions. If the input string +was large, this would cause a buffer to be allocated that was too small. +Since this function writes to the buffer using unsafe code, it would +allow an attacker to write beyond the buffer, causing memory corruption +and possibly the execution of arbitrary code. + +This flaw was corrected by using checked arithmetic to calculate +the size of the buffer. +""" + +[versions] +patched = [">= 0.5.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/bitvec/RUSTSEC-2020-0007.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/bitvec/RUSTSEC-2020-0007.toml new file mode 100644 index 000000000..caf27cb64 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/bitvec/RUSTSEC-2020-0007.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2020-0007" +package = "bitvec" +date = "2020-03-27" +title = "use-after or double free of allocated memory" +url = "https://github.com/myrrlyn/bitvec/issues/55" +categories = ["memory-corruption"] +description = """ +Conversion of `BitVec` to `BitBox` did not account for allocation movement. + +The flaw was corrected by using the address after resizing, rather than the original base address. +""" + +[affected.functions] +"bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] + +[versions] +patched = [">= 0.17.4"] +unaffected = ["< 0.11.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/blake2/RUSTSEC-2019-0019.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/blake2/RUSTSEC-2019-0019.toml new file mode 100644 index 000000000..70d7db5e6 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/blake2/RUSTSEC-2019-0019.toml @@ -0,0 +1,23 @@ +[advisory] +id = "RUSTSEC-2019-0019" +package = "blake2" +date = "2019-08-25" +title = "HMAC-BLAKE2 algorithms compute incorrect results" +url = "https://github.com/RustCrypto/MACs/issues/19" +categories = ["crypto-failure"] +description = """ +When used in conjunction with the Hash-based Message Authentication Code (HMAC), +the BLAKE2b and BLAKE2s implementations in `blake2` crate versions prior to +v0.8.1 used an incorrect block size (32-bytes instead of 64-bytes for BLAKE2s, +and 64-bytes instead of 128-bytes for BLAKE2b), causing them to miscompute the +`MacResult`. + +The v0.8.1 release of the `blake2` crate uses the correct block sizes. + +Note that this advisory only impacts usage of BLAKE2 with HMAC, and does not +impact `Digest` functionality. +""" +aliases = ["CVE-2019-16143"] + +[versions] +patched = [">= 0.8.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/bumpalo/RUSTSEC-2020-0006.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/bumpalo/RUSTSEC-2020-0006.toml new file mode 100644 index 000000000..d933c55c9 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/bumpalo/RUSTSEC-2020-0006.toml @@ -0,0 +1,42 @@ +[advisory] +id = "RUSTSEC-2020-0006" +package = "bumpalo" +date = "2020-03-24" +title = "Flaw in `realloc` allows reading unknown memory" +url = "https://github.com/fitzgen/bumpalo/issues/69" +categories = ["memory-exposure"] +description = """ +When `realloc`ing, if we allocate new space, we need to copy the old +allocation's bytes into the new space. There are `old_size` number of bytes in +the old allocation, but we were accidentally copying `new_size` number of bytes, +which could lead to copying bytes into the realloc'd space from past the chunk +that we're bump allocating out of, from unknown memory. + +If an attacker can cause `realloc`s, and can read the `realoc`ed data back, +this could allow them to read things from other regions of memory that they +shouldn't be able to. For example, if some crypto keys happened to live in +memory right after a chunk we were bump allocating out of, this could allow +the attacker to read the crypto keys. + +Beyond just fixing the bug and adding a regression test, I've also taken two +additional steps: + +1. While we were already running the testsuite under `valgrind` in CI, because + `valgrind` exits with the same code that the program did, if there are + invalid reads/writes that happen not to trigger a segfault, the program can + still exit OK and we will be none the wiser. I've enabled the + `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail + in these scenarios. + +2. I've written a quickcheck test to exercise `realloc`. Without the bug fix + in this patch, this quickcheck immediately triggers invalid reads when run + under `valgrind`. We didn't previously have quickchecks that exercised + `realloc` beacuse `realloc` isn't publicly exposed directly, and instead + can only be indirectly called. This new quickcheck test exercises `realloc` + via `bumpalo::collections::Vec::resize` and + `bumpalo::collections::Vec::shrink_to_fit` calls. +""" + +[versions] +patched = [">= 3.2.1"] +unaffected = ["< 3.0.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/cassandra/RUSTSEC-2016-0006.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cassandra/RUSTSEC-2016-0006.toml new file mode 100644 index 000000000..6d4171b81 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cassandra/RUSTSEC-2016-0006.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2016-0006" +package = "cassandra" +title = "`cassandra` crate is unmaintained; use `cassandra-cpp` instead" +informational = "unmaintained" +date = "2016-12-15" +url = "https://github.com/tupshin/cassandra-rs/issues/52" +description = """ +The `cassandra` crate has not seen a release since December 2016, and its author +is unresponsive. + +The `cassandra-cpp` crate is a maintained fork: + +https://github.com/Metaswitch/cassandra-rs +""" + +[versions] +patched = [] +unaffected = ["> 0.8.1"] # last release diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/cbox/RUSTSEC-2020-0005.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cbox/RUSTSEC-2020-0005.toml new file mode 100644 index 000000000..805217013 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cbox/RUSTSEC-2020-0005.toml @@ -0,0 +1,15 @@ +[advisory] +id = "RUSTSEC-2020-0005" +package = "cbox" +date = "2020-03-19" +title = "CBox API allows to de-reference raw pointers without `unsafe` code" +url = "https://github.com/TomBebbington/cbox-rs/issues/2" +categories = ["memory-corruption"] +description = """ +`CBox` and `CSemiBox` are part of the public API of the cbox crate +and they allow to create smart pointers from raw pointers and de-reference +them without the need of `unsafe` code. +""" + +[versions] +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/chacha20/RUSTSEC-2019-0029.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chacha20/RUSTSEC-2019-0029.toml new file mode 100644 index 000000000..4d4c19c98 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chacha20/RUSTSEC-2019-0029.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2019-0029" +package = "chacha20" +date = "2019-10-22" +title = "ChaCha20 counter overflow can expose repetitions in the keystream" +url = "https://github.com/RustCrypto/stream-ciphers/pull/64" +categories = ["crypto-failure"] +description = """ +The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB) +before the 32-bit counter overflows. Releases of the `chacha20` crate prior +to v0.2.3 allow generating keystreams larger than this, including seeking +past the limit. When this occurs, the keystream is duplicated, with failure +modes similar to nonce reuse (i.e. exposure of the XOR of two plaintexts). + +The v0.2.3 release now panics in this event, rather than exposing the +duplicated keystream. Note this is a "hot fix" solution to the problem +and future releases will pursue returning an error in this case. + +Users of the `chacha20poly1305` crate are unaffected by this as this crate +properly asserts the length of the plaintext is less than the maximum allowed +(`P_MAX` as described in RFC 8439 Section 2.8). +""" + +[versions] +patched = [">= 0.2.3"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/chan/RUSTSEC-2018-0014.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chan/RUSTSEC-2018-0014.toml new file mode 100644 index 000000000..b78990a51 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chan/RUSTSEC-2018-0014.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2018-0014" +package = "chan" +title = "chan is end-of-life; use crossbeam-channel instead" +informational = "unmaintained" +date = "2018-07-31" +url = "https://github.com/BurntSushi/chan/commit/0a5c0d4ad4adc90a54ee04a427389acf2e157275" +description = """ +**`chan` has reached its end-of-life and is now deprecated.** + +The intended successor of this crate is +[`crossbeam-channel`](https://github.com/crossbeam-rs/crossbeam/tree/master/crossbeam-channel). +Its API is strikingly similar, but comes with a much better `select!` macro, +better performance, a better test suite and an all-around better +implementation. +""" + +[versions] +unaffected = ["> 0.1.23"] # last release +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/chttp/RUSTSEC-2019-0016.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chttp/RUSTSEC-2019-0016.toml new file mode 100644 index 000000000..c3dc1f52d --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/chttp/RUSTSEC-2019-0016.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2019-0016" +package = "chttp" +date = "2019-09-01" +title = "Use-after-free in buffer conversion implementation" +description = """ +The From implementation for Vec was not properly implemented, +returning a vector backed by freed memory. This could lead to memory corruption +or be exploited to cause undefined behavior. + +A fix was published in version 0.1.3. +""" +url = "https://github.com/sagebind/isahc/issues/2" +keywords = ["memory-management", "memory-corruption"] +aliases = ["CVE-2019-16140"] + +[versions] +patched = [">= 0.1.3"] +unaffected = ["< 0.1.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/claxon/RUSTSEC-2018-0004.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/claxon/RUSTSEC-2018-0004.toml new file mode 100644 index 000000000..db1b23705 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/claxon/RUSTSEC-2018-0004.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2018-0004" +package = "claxon" +date = "2018-08-25" +title = "Malicious input could cause uninitialized memory to be exposed" +url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c" +keywords = ["uninitialized-memory"] +description = """ +Affected versions of Claxon made an invalid assumption about the decode buffer +size being a multiple of a value read from the bitstream. This could cause parts +of the decode buffer to not be overwritten. If the decode buffer was newly +allocated and uninitialized, this uninitialized memory could be exposed. + +This allows an attacker to observe parts of the uninitialized memory in the +decoded audio stream. + +The flaw was corrected by checking that the value read from the bistream divides +the decode buffer size, and returning a format error if it does not. If an error +is returned, the decode buffer is not exposed. Regression tests and an +additional fuzzer have been added to prevent similar flaws in the future. +""" +aliases = ["CVE-2018-20992"] + +[versions] +patched = ["=0.3.2", ">= 0.4.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/compact_arena/RUSTSEC-2019-0015.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/compact_arena/RUSTSEC-2019-0015.toml new file mode 100644 index 000000000..e93329fac --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/compact_arena/RUSTSEC-2019-0015.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2019-0015" +package = "compact_arena" +date = "2019-05-21" +title = "Flaw in generativity allows out-of-bounds access" +url = "https://github.com/llogiq/compact_arena/issues/22" +categories = ["memory-corruption"] +keywords = ["uninitialized-memory"] +description = """ +Affected versions of this crate did not properly implement the generativity, +because the invariant lifetimes were not necessarily `drop`ped. + +This allows an attacker to mix up two arenas, using indices created from one +arena with another one. This might lead to an out-of-bounds read or write +access into the memory reserved for the arena. + +The flaw was corrected by implementing generativity correctly in version 0.4.0. +""" +aliases = ["CVE-2019-16139"] + +[affected.functions] +"compact_arena::SmallArena::new" = ["< 0.4.0"] + +[versions] +patched = [">= 0.4.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/cookie/RUSTSEC-2017-0005.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cookie/RUSTSEC-2017-0005.toml new file mode 100644 index 000000000..53860589e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/cookie/RUSTSEC-2017-0005.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2017-0005" +package = "cookie" +keywords = ["crash"] +url = "https://github.com/alexcrichton/cookie-rs/pull/86" +title = "Large cookie Max-Age values can cause a denial of service" +date = "2017-05-06" +description = """ +Affected versions of this crate use the `time` crate and the method +`Duration::seconds` to parse the `Max-Age` duration cookie setting. This method +will panic if the value is greater than 2^64/1000 and less than or equal to +2^64, which can result in denial of service for a client or server. + +This flaw was corrected by explicitly checking for the `Max-Age` being in this +integer range and clamping the value to the maximum duration value. +""" +aliases = ["CVE-2017-18589"] + +[versions] +patched = ["< 0.6.0", "^0.6.2", ">= 0.7.6"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/crossbeam/RUSTSEC-2018-0009.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/crossbeam/RUSTSEC-2018-0009.toml new file mode 100644 index 000000000..03415a791 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/crossbeam/RUSTSEC-2018-0009.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2018-0009" +package = "crossbeam" +date = "2018-12-09" +title = "MsQueue and SegQueue suffer from double-free" +url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82" +keywords = ["concurrency", "memory-management", "memory-corruption"] +description = """ +Even if an element is popped from a queue, crossbeam would run its +destructor inside the epoch-based garbage collector. This is a source +of double frees. + +The flaw was corrected by wrapping elements inside queues in a +`ManuallyDrop`. + +Thanks to @c0gent for reporting the issue. +""" +aliases = ["CVE-2018-20996"] + +[versions] +patched = [">= 0.4.1"] +unaffected = ["< 0.4.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/crust/RUSTSEC-2019-0032.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/crust/RUSTSEC-2019-0032.toml new file mode 100644 index 000000000..29039b120 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/crust/RUSTSEC-2019-0032.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2019-0032" +package = "crust" +title = "crust repo has been archived; use libp2p instead" +informational = "unmaintained" +date = "2019-11-21" +url = "https://github.com/maidsafe/crust" +description = """ +** The `crust` crate repo was archived with no warning or explanation.** + +Given that it was archived with no warning or successor, there's not an +official replacement but [`rust-libp2p`](https://github.com/libp2p/rust-libp2p) +looks like it's got a similar feature set and is actively maintained. +""" + +[versions] +unaffected = ["> 0.32.1"] # last release +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/flatbuffers/RUSTSEC-2019-0028.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/flatbuffers/RUSTSEC-2019-0028.toml new file mode 100644 index 000000000..0d971fcaf --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/flatbuffers/RUSTSEC-2019-0028.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2019-0028" +package = "flatbuffers" +date = "2019-10-20" +url = "https://github.com/google/flatbuffers/issues/5530" +title = "Unsound `impl Follow for bool`" +description = """ +The implementation of `impl Follow for bool` allows to reinterpret arbitrary bytes as a `bool`. + +In Rust `bool` has stringent requirements for its in-memory representation. Use of this function +allows to violate these requirements and invoke undefined behaviour in safe code. +""" + +[affected.functions] +"flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] + +[versions] +patched = [">= 0.6.1"] +unaffected = ["< 0.4.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/generator/RUSTSEC-2019-0020.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/generator/RUSTSEC-2019-0020.toml new file mode 100644 index 000000000..f1c16a52e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/generator/RUSTSEC-2019-0020.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2019-0020" +package = "generator" +date = "2019-09-06" +title = "fix unsound APIs that could lead to UB" +url = "https://github.com/Xudong-Huang/generator-rs/issues/9" +keywords = ["memory-corruption"] +description = """ +Affected versions of this crate API could use uninitialized memory with some APIs in special +cases, like use the API in none generator context. This could lead to UB. +The flaw was corrected by + + + +This patch fixes all those issues above. +""" + +[versions] +patched = [">= 0.6.18"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0033.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0033.toml new file mode 100644 index 000000000..fe88a86e3 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0033.toml @@ -0,0 +1,26 @@ +[advisory] +id = "RUSTSEC-2019-0033" +package = "http" +date = "2019-11-16" +title = "Integer Overflow in HeaderMap::reserve() can cause Denial of Service" +url = "https://github.com/hyperium/http/issues/352" +categories = ["denial-of-service"] +keywords = ["http", "integer-overflow", "DoS"] +description = """ +`HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity. +However, `next_power_of_two()` silently overflows to 0 if given a sufficently large number +in release mode. + +If the map was not empty when the overflow happens, +the library will invoke `self.grow(0)` and start infinite probing. +This allows an attacker who controls the argument to `reserve()` +to cause a potential denial of service (DoS). + +The flaw was corrected in 0.1.20 release of `http` crate. +""" + +[affected.functions] +"http::header::HeaderMap::reserve" = ["< 0.1.20"] + +[versions] +patched = [">= 0.1.20"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0034.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0034.toml new file mode 100644 index 000000000..fffa2da82 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/http/RUSTSEC-2019-0034.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2019-0034" +package = "http" +date = "2019-11-16" +title = "HeaderMap::Drain API is unsound" +categories = ["memory-corruption"] +keywords = ["memory-safety", "double-free", "unsound"] +description = """ +Affected versions of this crate incorrectly used raw pointer, +which introduced unsoundness in its public safe API. + +[Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354), +and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355). + +The flaw was corrected in 0.1.20 release of `http` crate. +""" + +[affected.functions] +"http::header::HeaderMap::drain" = ["< 0.1.20"] + +[versions] +patched = [">= 0.1.20"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2016-0002.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2016-0002.toml new file mode 100644 index 000000000..5fe25d6d2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2016-0002.toml @@ -0,0 +1,26 @@ +[advisory] +id = "RUSTSEC-2016-0002" +package = "hyper" +date = "2016-05-09" +url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09" +title = "HTTPS MitM vulnerability due to lack of hostname verification" +categories = ["crypto-failure"] +keywords = ["ssl", "mitm"] +references = ["RUSTSEC-2016-0001"] +description = """ +When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not +perform hostname verification when making HTTPS requests. + +This allows an attacker to perform MitM attacks by preventing any valid +CA-issued certificate, even if there's a hostname mismatch. + +The problem was addressed by leveraging rust-openssl's built-in support for +hostname verification. +""" +aliases = ["CVE-2016-10932"] + +[affected] +os = ["windows"] + +[versions] +patched = [">= 0.9.4"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2017-0002.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2017-0002.toml new file mode 100644 index 000000000..101575bf5 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2017-0002.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2017-0002" +package = "hyper" +date = "2017-01-23" +url = "https://github.com/hyperium/hyper/wiki/Security-001" +title = "headers containing newline characters can split messages" +description = """ +Serializing of headers to the socket did not filter the values for newline bytes (`\\r` or `\\n`), +which allowed for header values to split a request or response. People would not likely include +newlines in the headers in their own applications, so the way for most people to exploit this +is if an application constructs headers based on unsanitized user input. + +This issue was fixed by replacing all newline characters with a space during serialization of +a header value. +""" +aliases = ["CVE-2017-18587"] + +[versions] +patched = [">= 0.10.2", "< 0.10.0, >= 0.9.18"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2020-0008.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2020-0008.toml new file mode 100644 index 000000000..026e8c841 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/hyper/RUSTSEC-2020-0008.toml @@ -0,0 +1,28 @@ +[advisory] +id = "RUSTSEC-2020-0008" +package = "hyper" +date = "2020-03-19" +title = "Flaw in hyper allows request smuggling by sending a body in GET requests" +url = "https://github.com/hyperium/hyper/issues/1925" +categories = ["format-injection"] +keywords = ["http", "request-smuggling"] + +description = """ +Vulnerable versions of hyper allow GET requests to have bodies, even if there is +no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 +specification, such requests do not have bodies, so the body will be interpreted +as a separate HTTP request. + +This allows an attacker who can control the body and method of an HTTP request +made by hyper to inject a request with headers that would not otherwise be +allowed, as demonstrated by sending a malformed HTTP request from a Substrate +runtime. This allows bypassing CORS restrictions. In combination with other +vulnerabilities, such as an exploitable web server listening on loopback, it may +allow remote code execution. + +The flaw was corrected in hyper version 0.12.34. +""" + +[versions] +patched = [">= 0.12.34"] +unaffected = ["< 0.11.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/image/RUSTSEC-2019-0014.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/image/RUSTSEC-2019-0014.toml new file mode 100644 index 000000000..e31ee1d5e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/image/RUSTSEC-2019-0014.toml @@ -0,0 +1,32 @@ +[advisory] +id = "RUSTSEC-2019-0014" +package = "image" +date = "2019-08-21" +title = "Flaw in interface may drop uninitialized instance of arbitrary types" +url = "https://github.com/image-rs/image/pull/985" +keywords = ["drop", "use-after-free"] +description = """ +Affected versions of this crate would call `Vec::set_len` on an uninitialized +vector with user-provided type parameter, in an interface of the HDR image +format decoder. They would then also call other code that could panic before +initializing all instances. + +This could run Drop implementations on uninitialized types, equivalent to +use-after-free, and allow an attacker arbitrary code execution. + +Two different fixes were applied. It is possible to conserve the interface by +ensuring proper initialization before calling `Vec::set_len`. Drop is no longer +called in case of panic, though. + +Starting from version `0.22`, a breaking change to the interface requires +callers to pre-allocate the output buffer and pass a mutable slice instead, +avoiding all unsafe code. +""" +aliases = ["CVE-2019-16138"] + +[affected.functions] +"image::hdr::HDRDecoder::read_image_transform" = ["< 0.21.3, >= 0.10.2"] + +[versions] +patched = [">= 0.21.3"] +unaffected = ["< 0.10.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/libflate/RUSTSEC-2019-0010.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libflate/RUSTSEC-2019-0010.toml new file mode 100644 index 000000000..d9b3e4659 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libflate/RUSTSEC-2019-0010.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2019-0010" +package = "libflate" +date = "2019-07-04" +title = "MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code" +url = "https://github.com/sile/libflate/issues/35" +keywords = ["drop", "use-after-free"] +description = """ +Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`. + +This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution. + +The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel. +""" +aliases = ["CVE-2019-15552"] + +[affected.functions] +"libflate::gzip::MultiDecoder::read" = ["< 0.1.25, >= 0.1.14"] + +[versions] +patched = [">= 0.1.25"] +unaffected = ["< 0.1.14"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/libp2p-core/RUSTSEC-2019-0004.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libp2p-core/RUSTSEC-2019-0004.toml new file mode 100644 index 000000000..08a64f158 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libp2p-core/RUSTSEC-2019-0004.toml @@ -0,0 +1,16 @@ +[advisory] +id = "RUSTSEC-2019-0004" +package = "libp2p-core" +date = "2019-05-15" +title = "Failure to properly verify ed25519 signatures makes any signature valid" +description = """ +Affected versions of this crate did not properly verify ed25519 signatures. +Any signature with a correct length was considered valid. + +This allows an attacker to impersonate any node identity. +""" +aliases = ["CVE-2019-15545"] + +[versions] +patched = ["^0.7.1", ">= 0.8.1"] +unaffected = ["< 0.3"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/libsecp256k1/RUSTSEC-2019-0027.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libsecp256k1/RUSTSEC-2019-0027.toml new file mode 100644 index 000000000..3be363061 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libsecp256k1/RUSTSEC-2019-0027.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2019-0027" +package = "libsecp256k1" +date = "2019-10-14" +title = "Flaw in Scalar::check_overflow allows side-channel timing attack" +categories = ["crypto-failure"] +keywords = ["crypto", "sidechannel"] +description = """ +Versions of `libsecp256k1` prior to `0.3.1` did not execute +Scalar::check_overflow in constant time. + +This allows an attacker to potentially leak information via a timing attack. + +The flaw was corrected by modifying Scalar::check_overflow to execute in +constant time. +""" + +[affected.functions] +"libsecp256k1::Scalar::check_overflow" = ["< 0.3.1"] + +[versions] +patched = [">= 0.3.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/libusb/RUSTSEC-2016-0004.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libusb/RUSTSEC-2016-0004.toml new file mode 100644 index 000000000..6c3485313 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/libusb/RUSTSEC-2016-0004.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2016-0004" +package = "libusb" +title = "libusb is unmaintained; use rusb instead" +informational = "unmaintained" +date = "2016-09-10" +url = "https://github.com/dcuddeback/libusb-rs/issues/33" +description = """ +The `libusb` crate has not seen a release since September 2016, and its author +is unresponsive. + +The `rusb` crate is a maintained fork: + +https://github.com/a1ien/rusb +""" + +[versions] +patched = [] +unaffected = ["> 0.3.0"] # last release diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/linea/RUSTSEC-2019-0021.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/linea/RUSTSEC-2019-0021.toml new file mode 100644 index 000000000..62ab2c787 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/linea/RUSTSEC-2019-0021.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2019-0021" +package = "linea" +date = "2019-09-14" +title = "`Matrix::zip_elements` causes double free" +url = "https://github.com/strake/linea.rs/issues/2" +categories = ["memory-corruption"] +keywords = ["double free"] +description = """ +Affected versions of this crate did not properly implements the `Matrix::zip_elements` method, which causes an double free when the given trait implementation might panic. + +This allows an attacker to corrupt or take control of the memory. + +The flaw was corrected by Phosphorus15. +""" +aliases = ["CVE-2019-16880"] + +[versions] +patched = ["> 0.9.4"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml new file mode 100644 index 000000000..9674de8b6 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2020-0004" +package = "lucet-runtime-internals" +date = "2020-01-24" +title = "sigstack allocation bug can cause memory corruption or leak" +url = "https://github.com/bytecodealliance/lucet/pull/401" +categories = ["memory-corruption", "memory-exposure"] +description = """ +An embedding using affected versions of lucet-runtime configured to use +non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode +without optimizations, could leak data from the signal handler stack to guest +programs. This can potentially cause data from the embedding host to leak to +guest programs or cause corruption of guest program memory. + +This flaw was resolved by correcting the sigstack allocation logic. +""" + +[versions] +patched = ["< 0.5.0, >= 0.4.3", ">= 0.5.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/memoffset/RUSTSEC-2019-0011.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/memoffset/RUSTSEC-2019-0011.toml new file mode 100644 index 000000000..12783686e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/memoffset/RUSTSEC-2019-0011.toml @@ -0,0 +1,16 @@ +[advisory] +id = "RUSTSEC-2019-0011" +package = "memoffset" +date = "2019-07-16" +title = "Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code" +url = "https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490" +description = """ +Affected versions of this crate caused traps and/or memory unsafety by zero-initializing references. +They also could lead to uninitialized memory being dropped if the field for which the offset is requested was behind a deref coercion, and that deref coercion caused a panic. + +The flaw was corrected by using `MaybeUninit`. +""" +aliases = ["CVE-2019-15553"] + +[versions] +patched = [">= 0.5.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/ncurses/RUSTSEC-2019-0006.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/ncurses/RUSTSEC-2019-0006.toml new file mode 100644 index 000000000..c43ac17ba --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/ncurses/RUSTSEC-2019-0006.toml @@ -0,0 +1,26 @@ +[advisory] +id = "RUSTSEC-2019-0006" +package = "ncurses" +date = "2019-06-15" +title = "Buffer overflow and format vulnerabilities in functions exposed without unsafe" +url = "https://github.com/RustSec/advisory-db/issues/106" +description = """ +`ncurses` exposes functions from the ncurses library which: + +- Pass buffers without length to C functions that may write an arbitrary amount of + data, leading to a buffer overflow. (`instr`, `mvwinstr`, etc) +- Passes rust &str to strings expecting C format arguments, allowing hostile + input to execute a format string attack, which trivially allows writing + arbitrary data to stack memory (functions in the `printw` family). +""" +aliases = ["CVE-2019-15547", "CVE-2019-15548"] + +[affected.functions] +"ncurses::instr" = [">= 0"] +"ncurses::mvwinstr" = [">= 0"] +"ncurses::printw" = [">= 0"] +"ncurses::mvprintw" = [">= 0"] +"ncurses::mvwprintw" = [">= 0"] + +[versions] +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/once_cell/RUSTSEC-2019-0017.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/once_cell/RUSTSEC-2019-0017.toml new file mode 100644 index 000000000..06a87127f --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/once_cell/RUSTSEC-2019-0017.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2019-0017" +package = "once_cell" +date = "2019-09-01" +title = "Panic during initialization of Lazy might trigger undefined behavior" +url = "https://github.com/matklad/once_cell/issues/46" +keywords = ["undefined_behavior"] +description = """ +If during the first dereference of Lazy the initialization function panics, +subsequent derefernces will execute `std::hints::unreachable_unchecked`. + +Applications with `panic = "abort"` are not affected, as there will be no +subsequent dereferences. +""" +aliases = ["CVE-2019-16141"] + +[affected.functions] +"once_cell::unsync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] +"once_cell::unsync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] +"once_cell::sync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] +"once_cell::sync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] + +[versions] +patched = [">= 1.0.1"] +unaffected = ["< 0.2.5"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2016-0001.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2016-0001.toml new file mode 100644 index 000000000..2ab962a61 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2016-0001.toml @@ -0,0 +1,24 @@ +[advisory] +id = "RUSTSEC-2016-0001" +package = "openssl" +date = "2016-11-05" +keywords = ["ssl", "mitm"] +url = "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0" +title = "SSL/TLS MitM vulnerability due to insecure defaults" +description = """ +All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults +including off-by-default certificate verification and no API to perform hostname +verification. + +Unless configured correctly by a developer, these defaults could allow an attacker +to perform man-in-the-middle attacks. + +The problem was addressed in newer versions by enabling certificate verification +by default and exposing APIs to perform hostname verification. Use the +`SslConnector` and `SslAcceptor` types to take advantage of these new features +(as opposed to the lower-level `SslContext` type). +""" +aliases = ["CVE-2016-10931"] + +[versions] +patched = [">= 0.9.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2018-0010.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2018-0010.toml new file mode 100644 index 000000000..8fd8c8310 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/openssl/RUSTSEC-2018-0010.toml @@ -0,0 +1,13 @@ +[advisory] +id = "RUSTSEC-2018-0010" +package = "openssl" +date = "2018-06-01" +title = "Use after free in CMS Signing" +url = "https://github.com/sfackler/rust-openssl/pull/942" +keywords = ["memory-corruption"] +description = "Affected versions of the OpenSSL crate used structures after they'd been freed." +aliases = ["CVE-2018-20997"] + +[versions] +patched = [">= 0.10.9"] +unaffected = ["< 0.10.8"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/orion/RUSTSEC-2018-0012.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/orion/RUSTSEC-2018-0012.toml new file mode 100644 index 000000000..c7b2d9191 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/orion/RUSTSEC-2018-0012.toml @@ -0,0 +1,17 @@ +[advisory] +id = "RUSTSEC-2018-0012" +package = "orion" +date = "2018-12-20" +title = "Flaw in streaming state reset() functions can create incorrect results." +url = "https://github.com/brycx/orion/issues/46" +description = """ +Affected versions of this crate did not properly reset a streaming state. + +Resetting a streaming state, without finalising it first, creates incorrect results. + +The flaw was corrected by not first checking if the state had already been reset, when calling reset(). +""" +aliases = ["CVE-2018-20999"] + +[versions] +patched = [">= 0.11.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/pancurses/RUSTSEC-2019-0005.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/pancurses/RUSTSEC-2019-0005.toml new file mode 100644 index 000000000..511fca0b6 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/pancurses/RUSTSEC-2019-0005.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2019-0005" +package = "pancurses" +date = "2019-06-15" +title = "Format string vulnerabilities in `pancurses`" +url = "https://github.com/RustSec/advisory-db/issues/106" +description = """ +`pancurses::mvprintw` and `pancurses::printw` passes a pointer from a rust `&str` to C, +allowing hostile input to execute a format string attack, which trivially allows writing +arbitrary data to stack memory. +""" +aliases = ["CVE-2019-15546"] + +[affected.functions] +"pancurses::mvprintw" = [">= 0"] +"pancurses::printw" = [">= 0"] + +[versions] +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio-rs/RUSTSEC-2019-0022.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio-rs/RUSTSEC-2019-0022.toml new file mode 100644 index 000000000..b3b7371cc --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio-rs/RUSTSEC-2019-0022.toml @@ -0,0 +1,21 @@ +[advisory] +id = "RUSTSEC-2019-0022" +package = "portaudio-rs" +date = "2019-09-14" +title = "Stream callback function is not unwind safe" +url = "https://github.com/mvdnes/portaudio-rs/issues/20" +categories = ["code-execution", "memory-corruption"] +keywords = ["audio", "ffi"] +description = """ +Affected versions of this crate is not panic safe within callback functions `stream_callback` and `stream_finished_callback`. + +The call to user-provided closure might panic before a `mem::forget` call, which then causes a use after free that grants attacker to control the callback function pointer. + +This allows an attacker to construct an arbitrary code execution . + +The flaw was reported by Phosphorus15. +""" +aliases = ["CVE-2019-16881"] + +[versions] +patched = ["> 0.3.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio/RUSTSEC-2016-0003.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio/RUSTSEC-2016-0003.toml new file mode 100644 index 000000000..0644245b5 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/portaudio/RUSTSEC-2016-0003.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2016-0003" +package = "portaudio" +date = "2016-08-01" +title = "HTTP download and execution allows MitM RCE" +url = "https://github.com/RustAudio/rust-portaudio/issues/144" +keywords = ["ssl", "mitm"] +description = """ +The build script in the portaudio crate will attempt to download via HTTP +the portaudio source and build it. + +A Mallory in the middle can intercept the download with their own archive +and get RCE. +""" +aliases = ["CVE-2016-10933"] + +[versions] +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/prost/RUSTSEC-2020-0002.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/prost/RUSTSEC-2020-0002.toml new file mode 100644 index 000000000..6c84deaff --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/prost/RUSTSEC-2020-0002.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2020-0002" +package = "prost" +date = "2020-01-16" +title = "Parsing a specially crafted message can result in a stack overflow" +url = "https://github.com/danburkert/prost/issues/267" +categories = ["denial-of-service", "memory-corruption"] +keywords = ["stack overflow"] +description = """ +Affected versions of this crate contained a bug in which decoding untrusted +input could overflow the stack. + +On architectures with stack probes (like x86), this can be used for denial of +service attacks, while on architectures without stack probes (like ARM) +overflowing the stack is unsound and can result in potential memory corruption +(or even RCE). + +The flaw was quickly corrected by @danburkert and released in version 0.6.1. +""" + +[versions] +patched = [">= 0.6.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/protobuf/RUSTSEC-2019-0003.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/protobuf/RUSTSEC-2019-0003.toml new file mode 100644 index 000000000..32ff64ce1 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/protobuf/RUSTSEC-2019-0003.toml @@ -0,0 +1,21 @@ +[advisory] +id = "RUSTSEC-2019-0003" +package = "protobuf" +date = "2019-06-08" +title = "Out of Memory in stream::read_raw_bytes_into()" +url = "https://github.com/stepancheg/rust-protobuf/issues/411" +categories = ["denial-of-service"] +keywords = ["oom", "panic"] +description = """ +Affected versions of this crate called Vec::reserve() on user-supplied input. + +This allows an attacker to cause an Out of Memory condition while calling the +vulnerable method on untrusted data. +""" +aliases = ["CVE-2019-15544"] + +[affected.functions] +"protobuf::stream::read_raw_bytes_into" = ["< 2.6.0"] + +[versions] +patched = ["^1.7.5", ">= 2.6.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/quickersort/RUSTSEC-2018-0016.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/quickersort/RUSTSEC-2018-0016.toml new file mode 100644 index 000000000..d0863a34e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/quickersort/RUSTSEC-2018-0016.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2018-0016" +package = "quickersort" +date = "2018-06-30" +title = "quickersort is deprecated and unmaintained" +informational = "unmaintained" +url = "https://github.com/notriddle/quickersort/commit/0bc164366315801f0c6b31f4081b7df9fc894076" +description = """ +The author of the `quickersort` crate has deprecated it and does not recommend using it anymore. + +Everything in it has been incorporated into [std::sort_unstable] in the standard library as of Rust 1.20. + +[std::sort_unstable]: https://doc.rust-lang.org/stable/std/primitive.slice.html#method.sort_unstable +""" + +[versions] +patched = [] +unaffected = ["> 3.0.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/renderdoc/RUSTSEC-2019-0018.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/renderdoc/RUSTSEC-2019-0018.toml new file mode 100644 index 000000000..9f68bbb0a --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/renderdoc/RUSTSEC-2019-0018.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2019-0018" +package = "renderdoc" +date = "2019-09-02" +title = "Internally mutating methods take immutable ref self" +url = "https://github.com/ebkalderon/renderdoc-rs/pull/32" +keywords = ["undefined_behavior"] +description = """ +Affected versions of this crate exposed several methods which took `self` by +immutable reference, despite the requesting the RenderDoc API to set a mutable +value internally. + +This is technically unsound and calling these methods from multiple threads +without synchronization could lead to unexpected and unpredictable behavior. + +The flaw was corrected in release 0.5.0. +""" +aliases = ["CVE-2019-16142"] + +[affected.functions] +"renderdoc::api::RenderDocV110::trigger_multi_frame_capture" = ["< 0.5.0"] +"renderdoc::api::RenderDocV120::set_capture_file_comments" = ["< 0.5.0"] + +[versions] +patched = [">= 0.5.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/rmpv/RUSTSEC-2017-0006.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rmpv/RUSTSEC-2017-0006.toml new file mode 100644 index 000000000..be8af43da --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rmpv/RUSTSEC-2017-0006.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2017-0006" +package = "rmpv" +date = "2017-11-21" +title = "Unchecked vector pre-allocation" +url = "https://github.com/3Hren/msgpack-rust/issues/151" +categories = ["denial-of-service"] +keywords = ["memory", "dos", "msgpack", "serialization", "deserialization"] +description = """ +Affected versions of this crate pre-allocate memory on deserializing raw +buffers without checking whether there is sufficient data available. + +This allows an attacker to do denial-of-service attacks by sending small +msgpack messages that allocate gigabytes of memory. +""" + +[versions] +patched = [">= 0.4.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust-crypto/RUSTSEC-2016-0005.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust-crypto/RUSTSEC-2016-0005.toml new file mode 100644 index 000000000..d12296c38 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust-crypto/RUSTSEC-2016-0005.toml @@ -0,0 +1,94 @@ +[advisory] +id = "RUSTSEC-2016-0005" +package = "rust-crypto" +title = "rust-crypto is unmaintained; switch to a modern alternative" +informational = "unmaintained" +date = "2016-09-06" # last GitHub commit +url = "https://github.com/DaGenix/rust-crypto/issues/440" +description = """ +The `rust-crypto` crate has not seen a release or GitHub commit since 2016, +and its author is unresponsive. + +*NOTE: The (old) `rust-crypto` crate (with hyphen) should not be confused with +similarly named (new) [RustCrypto GitHub Org] (without hyphen). The GitHub Org +is actively maintained.* + +We recommend you switch to one of the following crates instead, depending on +which algorithms you need: + +- [dalek-cryptography GitHub Org]: + - Key agreement: [`x25519-dalek`] + - Signature algorithms: [`ed25519-dalek`] +- [`ring`]: + - AEAD algorithms: AES-GCM, ChaCha20Poly1305 + - Digest algorithms: SHA-256, SHA-384, SHA-512, SHA-512/256 (legacy: SHA-1) + - HMAC + - Key agreement: ECDH (P-256, P-384), X25519 + - Key derivation: HKDF + - Password hashing: PBKDF2 + - Signature algorithms: ECDSA (P-256, P-384), Ed25519, RSA (PKCS#1v1.5, PSS) +- [RustCrypto GitHub Org]: + - AEAD algorithms: [`aes-gcm`], [`aes-gcm-siv`], [`aes-siv`], [`chacha20poly1305`], [`xsalsa20poly1305`] + - Block ciphers: [`aes`], [`cast5`], [`des`] + - Digest algorithms: [`sha2`], [`sha3`], [`blake2`], [`ripemd160`] + (legacy: [`sha-1`], [`md-5`]) + - Key derivation: [`hkdf`] + - MACs: [`cmac`], [`hmac`], [`pmac`], [`poly1305`] + - Password hashing: [`pbkdf2`] + - Stream ciphers: [`aes-ctr`], [`chacha20`], [`hc-256`], [`salsa20`] +- [`secp256k1`]: + - Key agreement: ECDH (secp256k1 only) + - Signature algorithms: ECDSA (secp256k1 only) +- [`sodiumoxide`]: + - AEAD algorithms: ChaCha20Poly1305 (IETF version) + - Digest algorithms: SHA-256, SHA-512 + - HMAC + - Key agreement: X25519 + BLAKE2b + - Password hashing: Argon2(i/d), scrypt + - Public key encryption: NaCl "Box" (X25519 + XSalsa20Poly1305) + - Signature algorithms: Ed25519 + - Short-input PRF: SipHash24 +- [`orion`]: + - AEAD algorithms: ChaCha20Poly1305 (IETF version), XChaCha20Poly1305 + - Digest algorithms: SHA-512, BLAKE2b + - Key derivation: HKDF + - MACs: HMAC, Poly1305 + - Password hashing: PBKDF2 + - Stream ciphers: ChaCha20 (IETF version), XChaCha20 + +[dalek-cryptography GitHub Org]: https://github.com/dalek-cryptography +[RustCrypto GitHub Org]: https://github.com/RustCrypto +[`aes`]: https://crates.io/crates/aes +[`aes-ctr`]: https://crates.io/crates/aes-ctr +[`aes-gcm`]: https://crates.io/crates/aes-gcm +[`aes-gcm-siv`]: https://crates.io/crates/aes-gcm-siv +[`aes-siv`]: https://crates.io/crates/aes-siv +[`blake2`]: https://crates.io/crates/blake2 +[`cast5`]: https://crates.io/crates/cast5 +[`chacha20`]: https://crates.io/crates/chacha20 +[`chacha20poly1305`]: https://crates.io/crates/chacha20poly1305 +[`cmac`]: https://crates.io/crates/cmac +[`des`]: https://crates.io/crates/des +[`ed25519-dalek`]: https://crates.io/crates/ed25519-dalek +[`hc-256`]: https://crates.io/crates/hc-256 +[`hkdf`]: https://crates.io/crates/hkdf +[`hmac`]: https://crates.io/crates/hmac +[`pbkdf2`]: https://crates.io/crates/pbkdf2 +[`pmac`]: https://crates.io/crates/pmac +[`poly1305`]: https://crates.io/crates/poly1305 +[`ring`]: https://crates.io/crates/ring +[`ripemd160`]: https://crates.io/crates/ripemd160 +[`salsa20`]: https://crates.io/crates/salsa20 +[`secp256k1`]: https://crates.io/crates/secp256k1 +[`sha-1`]: https://crates.io/crates/sha-1 +[`sha2`]: https://crates.io/crates/sha2 +[`sha3`]: https://crates.io/crates/sha3 +[`sodiumoxide`]: https://crates.io/crates/sodiumoxide +[`x25519-dalek`]: https://crates.io/crates/x25519-dalek +[`xsalsa20poly1305`]: https://crates.io/crates/xsalsa20poly1305 +[`orion`]: https://crates.io/crates/orion +""" + +[versions] +unaffected = ["> 0.2.36"] # last release +patched = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust_sodium/RUSTSEC-2020-0003.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust_sodium/RUSTSEC-2020-0003.toml new file mode 100644 index 000000000..f8f3fb587 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rust_sodium/RUSTSEC-2020-0003.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2020-0003" +package = "rust_sodium" +date = "2020-01-20" +informational = "unmaintained" +title = "rust_sodium is unmaintained; switch to a modern alternative" +description = """ +The `rust_sodium` crate is no longer maintained by its current owner, who +advise in the repository readme that they are looking for +someone else to take ownership of it. + +We recommend you switch to an alternative crate such as: +- [`sodiumoxide`](https://crates.io/crates/sodiumoxide) +""" +url = "https://github.com/maidsafe/rust_sodium/pull/117" + +[versions] +patched = [] +unaffected = ["> 0.10.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/rustsec-example-crate/RUSTSEC-2019-0024.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rustsec-example-crate/RUSTSEC-2019-0024.toml new file mode 100644 index 000000000..e2ad1ae47 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/rustsec-example-crate/RUSTSEC-2019-0024.toml @@ -0,0 +1,27 @@ +[advisory] +id = "RUSTSEC-2019-0024" +package = "rustsec-example-crate" +date = "2019-10-08" +url = "https://github.com/RustSec/advisory-db/issues/158" +title = "Test advisory with associated example crate" +description = """ +This is a test advisory useful for verifying RustSec tooling and vulnerability +detection pipelines are working correctly. Aside from the fact that it is filed +against an example crate, it is otherwise considered by the Advisory Database +itself to be a normal security advisory. + +It's filed against `rustsec-example-crate`, an otherwise completely empty crate +with no functionality or code, which has two releases: + +- [v0.0.1] - *vulnerable* according to this advisory +- [v1.0.0] - *patched* by this advisory + +(Technically there is a third release, v0.0.0, which is yanked, but otherwise +identical to the v0.0.1 release) + +[v0.0.1]: https://crates.io/crates/rustsec-example-crate/0.0.1 +[v1.0.0]: https://crates.io/crates/rustsec-example-crate/1.0.0 +""" + +[versions] +patched = [">= 1.0.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/safe-transmute/RUSTSEC-2018-0013.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/safe-transmute/RUSTSEC-2018-0013.toml new file mode 100644 index 000000000..55ce7ecb0 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/safe-transmute/RUSTSEC-2018-0013.toml @@ -0,0 +1,23 @@ +[advisory] +id = "RUSTSEC-2018-0013" +package = "safe-transmute" +date = "2018-11-27" +title = "Vec-to-vec transmutations could lead to heap overflow/corruption" +description = """ +Affected versions of this crate switched the length and capacity arguments in the Vec::from_raw_parts() constructor, +which could lead to memory corruption or data leakage. + +The flaw was corrected by using the constructor correctly. +""" +url = "https://github.com/nabijaczleweli/safe-transmute-rs/pull/36" +keywords = ["memory-corruption"] + +# TODO(tarcieri): fix linter to respect crate name +#[affected.functions] +#"safe_transmute::guarded_transmute_vec_permissive" = [">= 0.4.0, <= 0.10.0"] +#"safe_transmute::guarded_transmute_to_bytes_vec" = ["= 0.10.0"] +aliases = ["CVE-2018-21000"] + +[versions] +patched = [">= 0.10.1"] +unaffected = ["< 0.4.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/security-framework/RUSTSEC-2017-0003.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/security-framework/RUSTSEC-2017-0003.toml new file mode 100644 index 000000000..5577db26a --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/security-framework/RUSTSEC-2017-0003.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2017-0003" +package = "security-framework" +date = "2017-03-15" +keywords = ["mitm"] +url = "https://github.com/sfackler/rust-security-framework/pull/27" +title = "Hostname verification skipped when custom root certs used" +description = """ +If custom root certificates were registered with a `ClientBuilder`, the +hostname of the target server would not be validated against its presented leaf +certificate. + +This issue was fixed by properly configuring the trust evaluation logic to +perform that check. +""" +aliases = ["CVE-2017-18588"] + +[versions] +patched = [">= 0.1.12"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_cbor/RUSTSEC-2019-0025.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_cbor/RUSTSEC-2019-0025.toml new file mode 100644 index 000000000..84886d342 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_cbor/RUSTSEC-2019-0025.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-2019-0025" +package = "serde_cbor" +date = "2019-10-03" +title = "Flaw in CBOR deserializer allows stack overflow" +url = "https://github.com/pyfisch/cbor/releases/tag/v0.10.2" +categories = ["crypto-failure"] +keywords = ["stack-overflow", "crash", "denial-of-service"] +description = """ +Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization. + +This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow. + +The flaw was corrected by limiting the allowed number of nested tags. +""" + +[versions] +patched = [">= 0.10.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_yaml/RUSTSEC-2018-0005.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_yaml/RUSTSEC-2018-0005.toml new file mode 100644 index 000000000..201c9f1f2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/serde_yaml/RUSTSEC-2018-0005.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2018-0005" +package = "serde_yaml" +date = "2018-09-17" +title = "Uncontrolled recursion leads to abort in deserialization" +url = "https://github.com/dtolnay/serde-yaml/pull/105" +keywords = ["crash"] +description = """ +Affected versions of this crate did not properly check for recursion +while deserializing aliases. + +This allows an attacker to make a YAML file with an alias referring +to itself causing an abort. + +The flaw was corrected by checking the recursion depth. +""" + +[versions] +patched = [">= 0.8.4"] +unaffected = ["< 0.6.0-rc1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/simd-json/RUSTSEC-2019-0008.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/simd-json/RUSTSEC-2019-0008.toml new file mode 100644 index 000000000..87bf9524e --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/simd-json/RUSTSEC-2019-0008.toml @@ -0,0 +1,34 @@ +[advisory] +id = "RUSTSEC-2019-0008" +package = "simd-json" +date = "2019-06-24" +title = "Flaw in string parsing can lead to crashes due to invalid memory access." +url = "https://github.com/Licenser/simdjson-rs/pull/27" +keywords = ["simd"] +description = """ +The affected version of this crate did not guard against accessing memory +beyond the range of its input data. A pointer cast to read the data into +a 256-bit register could lead to a segmentation fault when the end plus +the 32 bytes (256 bit) read would overlap into the next page during string +parsing. + +``` +page | ... page 1 ... | ... page 2 ... | +data | x[n * 32 byte]xx__ | | +access | ..][ 32 byte ] | | +segflt | [ 32 | byte ] | +``` + +This allows an attacker to eventually crash a service. + +The flaw was corrected by using a padding buffer for the last read from the +input. So that we are we never read over the boundary of the input data. +""" +aliases = ["CVE-2019-15550"] + +[affected] +arch = ["x86", "x86_64"] + +[versions] +patched = [">= 0.1.15"] +unaffected = ["<= 0.1.13"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2018-0008.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2018-0008.toml new file mode 100644 index 000000000..6d16a904c --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2018-0008.toml @@ -0,0 +1,28 @@ +[advisory] +id = "RUSTSEC-2018-0008" +package = "slice-deque" +date = "2018-12-05" +url = "https://github.com/gnzlbg/slice_deque/issues/57" +keywords = ["memory-corruption", "rce"] +title = "Bug in SliceDeque::move_head_unchecked allows read of corrupted memory" +description = """ + +Affected versions of this crate did not properly update the +head and tail of the deque when inserting and removing elements from the front +if, before insertion or removal, the tail of the deque was in the mirrored +memory region, and if, after insertion or removal, the head of the deque is +exactly at the beginning of the mirrored memory region. + +An attacker that controls both element insertion and removal into the deque +could put it in a corrupted state. Once the deque enters such an state, its head +and tail are corrupted, but in bounds of the allocated memory. This can result +in partial reads and writes, reads of uninitialized memory, reads of memory +containing previously dropped objects, etc. An attacker could exploit this to +alter program execution. + +The flaw was corrected by properly updating the head and tail of the deque in +this case. """ +aliases = ["CVE-2018-20995"] + +[versions] +patched = [">= 0.1.16"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2019-0002.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2019-0002.toml new file mode 100644 index 000000000..e79e0b1b4 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/slice-deque/RUSTSEC-2019-0002.toml @@ -0,0 +1,28 @@ +[advisory] +id = "RUSTSEC-2019-0002" +package = "slice-deque" +date = "2019-05-07" +title = "Bug in SliceDeque::move_head_unchecked corrupts its memory" +url = "https://github.com/gnzlbg/slice_deque/issues/57" +keywords = ["memory-corruption", "rce"] +references = ["RUSTSEC-2018-0008"] +description = """ +Affected versions of this crate entered a corrupted state if +`mem::size_of::() % allocation_granularity() != 0` and a specific allocation +pattern was used: sufficiently shifting the deque elements over the mirrored +page boundary. + +This allows an attacker that controls controls both element insertion and +removal to corrupt the deque, such that reading elements from it would read +bytes corresponding to other elements in the deque. (e.g. a read of T could read +some bytes from one value and some bytes from an adjacent one, resulting in a T +whose value representation is not meaningful). This is undefined behavior. + +The flaw was corrected by using a pair of pointers to track the head and tail of +the deque instead of a pair of indices. This pair of pointers are represented +using a Rust slice. +""" +aliases = ["CVE-2019-15543"] + +[versions] +patched = [">= 0.2.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2018-0003.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2018-0003.toml new file mode 100644 index 000000000..f66ca05d6 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2018-0003.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2018-0003" +package = "smallvec" +url = "https://github.com/servo/rust-smallvec/issues/96" +keywords = ["memory-corruption"] +title = "Possible double free during unwinding in SmallVec::insert_many" +date = "2018-07-19" +description = """ +If an iterator passed to `SmallVec::insert_many` panicked in `Iterator::next`, +destructors were run during unwinding while the vector was in an inconsistent +state, possibly causing a double free (a destructor running on two copies of +the same value). + +This is fixed in smallvec 0.6.3 by ensuring that the vector's length is not +updated to include moved items until they have been removed from their +original positions. Items may now be leaked if `Iterator::next` panics, but +they will not be dropped more than once. + +Thank you to @Vurich for reporting this bug. +""" +aliases = ["CVE-2018-20991"] + +[versions] +unaffected = ["< 0.3.2"] +patched = [">= 0.6.3", "^0.3.4", "^0.4.5", "^0.5.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0009.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0009.toml new file mode 100644 index 000000000..a832ff935 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0009.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2019-0009" +package = "smallvec" +date = "2019-06-06" +title = "Double-free and use-after-free in SmallVec::grow()" +url = "https://github.com/servo/rust-smallvec/issues/148" +keywords = ["double free", "use after free", "arbitrary code execution"] +description = """ +Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. + +An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. + +Credits to @ehuss for discovering, reporting and fixing the bug. +""" +aliases = ["CVE-2019-15551"] + +[affected.functions] +"smallvec::SmallVec::grow" = ["< 0.6.10, >= 0.6.5"] + +[versions] +patched = [">= 0.6.10"] +unaffected = ["< 0.6.5"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0012.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0012.toml new file mode 100644 index 000000000..3f0951a02 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/smallvec/RUSTSEC-2019-0012.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2019-0012" +package = "smallvec" +date = "2019-07-19" +title = "Memory corruption in SmallVec::grow()" +url = "https://github.com/servo/rust-smallvec/issues/149" +categories = ["code-execution", "memory-corruption"] +description = """ +Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. + +An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. + +Credits to @ehuss for discovering, reporting and fixing the bug. +""" +aliases = ["CVE-2019-15554"] + +[affected.functions] +"smallvec::SmallVec::grow" = ["< 0.6.10, >= 0.6.3"] + +[versions] +patched = [">= 0.6.10"] +unaffected = ["< 0.6.3"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2017-0001.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2017-0001.toml new file mode 100644 index 000000000..3311d4b32 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2017-0001.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2017-0001" +package = "sodiumoxide" +aliases = ["CVE-2017-1000168"] +date = "2017-01-26" +keywords = ["cryptography"] +url = "https://github.com/dnaq/sodiumoxide/issues/154" +title = "scalarmult() vulnerable to degenerate public keys" +description = """ +The `scalarmult()` function included in previous versions of this crate +accepted all-zero public keys, for which the resulting Diffie-Hellman shared +secret will always be zero regardless of the private key used. + +This issue was fixed by checking for this class of keys and rejecting them +if they are used. +""" + +[versions] +patched = [">= 0.0.14"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2019-0026.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2019-0026.toml new file mode 100644 index 000000000..1f7d450fa --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/sodiumoxide/RUSTSEC-2019-0026.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2019-0026" +package = "sodiumoxide" +date = "2019-10-11" +keywords = ["cryptography"] +url = "https://github.com/sodiumoxide/sodiumoxide/pull/381" + +title = "generichash::Digest::eq always return true" +description = """ +PartialEq implementation for generichash::Digest has compared itself to itself. + +Digest::eq always returns true and Digest::ne always returns false. +""" + +[affected.functions] +"sodiumoxide::crypto::generichash::Digest::eq" = ["< 0.2.5, >= 0.2.0"] +"sodiumoxide::crypto::generichash::Digest::ne" = ["< 0.2.5, >= 0.2.0"] + +[versions] +patched = [">= 0.2.5"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0013.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0013.toml new file mode 100644 index 000000000..2efa09467 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0013.toml @@ -0,0 +1,23 @@ +[advisory] +id = "RUSTSEC-2019-0013" +package = "spin" +date = "2019-08-27" +title = "Wrong memory orderings in RwLock potentially violates mutual exclusion" +url = "https://github.com/mvdnes/spin-rs/issues/65" +keywords = ["atomic", "ordering", "spin", "lock", "mutex", "rwlock"] +description = """ +Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded. + +Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the `spin_no_std` feature enabled) are NOT affected. + +On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way. + +The flaw was corrected by https://github.com/mvdnes/spin-rs/pull/66. +""" +aliases = ["CVE-2019-16137"] + +[affected.functions] +"spin::RwLock::new" = ["< 0.5.2"] + +[versions] +patched = [">= 0.5.2"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0031.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0031.toml new file mode 100644 index 000000000..9ff0aaa65 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/spin/RUSTSEC-2019-0031.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2019-0031" +package = "spin" +title = "spin is no longer actively maintained" +informational = "unmaintained" +date = "2019-11-21" +url = "https://github.com/mvdnes/spin-rs/commit/7516c80" +description = """ +The author of the `spin` crate does not have time or interest to maintain it. + +Consider the following alternatives (both of which support `no_std`): + +- [`conquer-once`](https://github.com/oliver-giersch/conquer-once) +- [`lock_api`](https://crates.io/crates/lock_api) (a subproject of `parking_lot`) + - [`spinning_top`](https://github.com/rust-osdev/spinning_top) spinlock crate built on `lock_api` +""" + +[versions] +patched = [] +unaffected = ["> 0.5.2"] # last release diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/streebog/RUSTSEC-2019-0030.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/streebog/RUSTSEC-2019-0030.toml new file mode 100644 index 000000000..4cf9be16b --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/streebog/RUSTSEC-2019-0030.toml @@ -0,0 +1,15 @@ +[advisory] +id = "RUSTSEC-2019-0030" +package = "streebog" +date = "2019-10-06" +title = "Incorrect implementation of the Streebog hash functions" +url = "https://github.com/RustCrypto/hashes/pull/91" +categories = ["crypto-failure"] +description = """ +Internal `update-sigma` function was implemented incorrectly and depending on +`debug-assertions` it could've caused an incorrect result or panic for certain +inputs. +""" + +[versions] +patched = [">= 0.8.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/string-interner/RUSTSEC-2019-0023.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/string-interner/RUSTSEC-2019-0023.toml new file mode 100644 index 000000000..5865e71cc --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/string-interner/RUSTSEC-2019-0023.toml @@ -0,0 +1,26 @@ +[advisory] +id = "RUSTSEC-2019-0023" +package = "string-interner" +date = "2019-08-24" +title = "Cloned interners may read already dropped strings" +url = "https://github.com/Robbepop/string-interner/issues/9" +keywords = ["use after free"] +description = """ +Affected versions of this crate did not clone contained strings when an interner is cloned. +Interners have raw pointers to the contained strings, and they keep pointing the strings which the old interner owns, after the interner is cloned. +If a new cloned interner is alive and the old original interner is dead, the new interner has dangling pointers to the old interner's storage, which is already dropped. + +This allows an attacker to read the already freed memory. +The dangling pointers are used by the interners to check a string is already interned. +An attacker can do brute force attack to get the data pointed by the dangling pointer. + +The flaw was corrected by . +This patch implements `Clone` manually to the interner type, so that the internal raw pointers always point the strings owned by the same interner. + +PR #10 was also backported to the 0.6 release line in + and was released in 0.6.4. +""" +aliases = ["CVE-2019-16882"] + +[versions] +patched = ["^0.6.4", ">= 0.7.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/tar/RUSTSEC-2018-0002.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/tar/RUSTSEC-2018-0002.toml new file mode 100644 index 000000000..52457e2b9 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/tar/RUSTSEC-2018-0002.toml @@ -0,0 +1,28 @@ +[advisory] +id = "RUSTSEC-2018-0002" +package = "tar" +keywords = ["file-overwrite"] +url = "https://github.com/alexcrichton/tar-rs/pull/156" +title = "Links in archives can overwrite any existing file" +date = "2018-06-29" +description = """ +When unpacking a tarball with the `unpack_in`-family of functions it's intended +that only files within the specified directory are able to be written. Tarballs +with hard links or symlinks, however, can be used to overwrite any file on the +filesystem. + +Tarballs can contain multiple entries for the same file. A tarball which first +contains an entry for a hard link or symlink pointing to any file on the +filesystem will have the link created, and then afterwards if the same file is +listed in the tarball the hard link will be rewritten and any file can be +rewritten on the filesystem. + +This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is +published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and +emailing about the issue! +""" +aliases = ["CVE-2018-20990"] + +[versions] +patched = [">= 0.4.16"] +unaffected = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/term/RUSTSEC-2018-0015.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/term/RUSTSEC-2018-0015.toml new file mode 100644 index 000000000..dfc0b07e2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/term/RUSTSEC-2018-0015.toml @@ -0,0 +1,22 @@ +[advisory] +id = "RUSTSEC-2018-0015" +package = "term" +title = "term is looking for a new maintainer" +informational = "unmaintained" +date = "2018-11-19" +url = "https://github.com/Stebalien/term/issues/93" +description = """ +The author of the `term` crate does not have time to maintain it and is looking +for a new maintainer. + +Some maintained alternatives you can potentially switch to instead, depending +on your needs: + +- [`crossterm`](https://github.com/crossterm-rs/crossterm) +- [`termcolor`](https://crates.io/crates/termcolor) +- [`yansi`](https://crates.io/crates/yansi) +""" + +[versions] +patched = [] +unaffected = ["> 0.6.1"] # last release diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-proto/RUSTSEC-2018-0007.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-proto/RUSTSEC-2018-0007.toml new file mode 100644 index 000000000..b3898f940 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-proto/RUSTSEC-2018-0007.toml @@ -0,0 +1,24 @@ +[advisory] +id = "RUSTSEC-2018-0007" +package = "trust-dns-proto" +date = "2018-10-09" +title = "Stack overflow when parsing malicious DNS packet" +keywords = [ "stack-overflow", "crash" ] +description = """ +There's a stack overflow leading to a crash when Trust-DNS's parses a +malicious DNS packet. + +Affected versions of this crate did not properly handle parsing of DNS message +compression (RFC1035 section 4.1.4). The parser could be tricked into infinite +loop when a compression offset pointed back to the same domain name to be +parsed. + +This allows an attacker to craft a malicious DNS packet which when consumed +with Trust-DNS could cause stack overflow and crash the affected software. + +The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release. +""" +aliases = ["CVE-2018-20994"] + +[versions] +patched = [">= 0.4.3", ">= 0.5.0-alpha.3" ] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-server/RUSTSEC-2020-0001.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-server/RUSTSEC-2020-0001.toml new file mode 100644 index 000000000..5f03ee371 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/trust-dns-server/RUSTSEC-2020-0001.toml @@ -0,0 +1,27 @@ +[advisory] +id = "RUSTSEC-2020-0001" +package = "trust-dns-server" +date = "2020-01-06" +title = "Stack overflow when resolving addional records from MX or SRV null targets" +description = """ +There's a stack overflow leading to a crash and potential DOS when processing +additional records for return of MX or SRV record types from the server. + +This is only possible when a zone is configured with a null target for MX or SRV records, i.e. '.'. + +Example effected zone record: +```text +no-service 86400 IN MX 0 . +``` + +Prior to 0.16.0 the additional record processing was not supported by trust-dns-server. There +Are no known issues with upgrading from 0.16 or 0.17 to 0.18.1. The remidy should be to upgrade to +0.18.1. If unable to do so, MX, SRV or other record types with a target to the null type, should be avoided. +""" +url = "https://github.com/bluejekyll/trust-dns/issues/980" +categories = ["denial-of-service"] +keywords = [ "stack-overflow", "crash" ] + +[versions] +patched = [">= 0.18.1"] +unaffected = ["< 0.16.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/untrusted/RUSTSEC-2018-0001.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/untrusted/RUSTSEC-2018-0001.toml new file mode 100644 index 000000000..8868a48c2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/untrusted/RUSTSEC-2018-0001.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-2018-0001" +package = "untrusted" +url = "https://github.com/briansmith/untrusted/pull/20" +keywords = ["crash"] +title = "An integer underflow could lead to panic" +date = "2018-06-21" +description = """ +A mistake in error handling in untrusted before 0.6.2 could lead to an integer +underflow and panic if a user of the crate didn't properly check for errors +returned by untrusted. + +Combination of these two programming errors (one in untrusted and another by +user of this crate) could lead to a panic and maybe a denial of service of +affected software. + +The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also +advisable that users of untrusted check for their sources for cases where errors +returned by untrusted are not handled correctly. +""" +aliases = ["CVE-2018-20989"] + +[versions] +patched = [">= 0.6.2"] +unaffected = [] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/crates/yaml-rust/RUSTSEC-2018-0006.toml b/vulnerabilities/tests/test_data/rust/advisory-db/crates/yaml-rust/RUSTSEC-2018-0006.toml new file mode 100644 index 000000000..a8385c7be --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/crates/yaml-rust/RUSTSEC-2018-0006.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-2018-0006" +package = "yaml-rust" +date = "2018-09-17" +title = "Uncontrolled recursion leads to abort in deserialization" +url = "https://github.com/chyh1990/yaml-rust/pull/109" +keywords = ["crash"] +description = """ +Affected versions of this crate did not prevent deep recursion while +deserializing data structures. + +This allows an attacker to make a YAML file with deeply nested structures +that causes an abort while deserializing it. + +The flaw was corrected by checking the recursion depth. +""" +aliases = ["CVE-2018-20993"] + +[versions] +patched = [">= 0.4.1"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/rust/cargo/CVE-2019-16760.toml b/vulnerabilities/tests/test_data/rust/advisory-db/rust/cargo/CVE-2019-16760.toml new file mode 100644 index 000000000..d5e1fe5db --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/rust/cargo/CVE-2019-16760.toml @@ -0,0 +1,113 @@ +[advisory] +id = "CVE-2019-16760" +package = "cargo" +date = "2019-09-30" +aliases = ["GHSA-phjm-8x66-qw4r"] +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ" +title = "Cargo prior to Rust 1.26.0 may download the wrong dependency" +description = """ +The Rust team was recently notified of a security concern when using older +versions of Cargo to build crates which use the package rename feature added in +newer versions of Cargo. If you're using Rust 1.26.0, released on 2018-05-10, +or later you're not affected. + +The CVE for this vulnerability is [CVE-2019-16760][0]. + +## Overview + +Cargo can be configured through `Cargo.toml` and the `[dependencies]` section +to depend on different crates, such as those from crates.io. There are multiple +ways to configure how you depend on crates as well, for example if you depend +on `serde` and enable the `derive` feature it would look like: + +```toml +serde = { version = "1.0", features = ['derive'] } +``` + +Rust 1.31.0 [introduced a new feature of Cargo][1] where one of the optional +keys you can specify in this map is `package`, a way to [rename a crate +locally][2]. For example if you preferred to use `serde1` locally instead of +`serde`, you could write: + +```toml +serde1 = { version = "1.0", features = ['derive'], package = "serde" } +``` + +It's the addition of the `package` key that causes Cargo to compile the crate +differently. This feature was [first implemented][3] in Rust 1.26.0, but it was +unstable at the time. For Rust 1.25.0 and prior, however, Cargo would ignore +the `package` key and and interpret the dependency line as if it were: + +```toml +serde1 = { version = "1.0", features = ['derive'] } +``` + +This means when compiled with Rust 1.25.0 and prior then it would attempt to +download the `serde1` crate. A malicious user could squat the `serde1` name on +crates.io to look like `serde 1.0.0` but instead act maliciously when built. + +In summary, usage of the `package` key to rename dependencies in `Cargo.toml` +is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo +will ignore `package` and download the wrong dependency, which could be +squatted on crates.io to be a malicious package. This not only affects +manifests that you write locally yourself, but also manifests published to +crates.io. If you published a crate, for example, that depends on `serde1` to +crates.io then users who depend on you may also be vulnerable if they use Rust +1.25.0 and prior. + +## Affected Versions + +Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will +ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not +affected and typically will emit an error because the `package` key is +unstable. Rust 1.31.0 and after are not affected because Cargo understands the +`package` key. + +In terms of Cargo versions, this affects Cargo up through Cargo 0.26.0. All +future versions of Cargo are unaffected. + +## Mitigations + +We strongly recommend that users of the affected versions update their compiler +to the latest available one. Preventing this issue from happening requires +updating your compiler to either Rust 1.26.0 or newer. + +We will not be issuing a patch release for Rust versions prior to 1.26.0. Users +of Rust 1.19.0 to Rust 1.25.0 can instead apply [the provided patches][4] to +mitigate the issue. + +An audit of existing crates published to crates.io using the `package` key has +been performed and there is no evidence that this vulnerability has been +exploited in the wild. Our audit only covers the crates currently published on +crates.io: if you notice crates exploiting this vulnerability in the future +please don't hesitate to email secu...@rust-lang.org in accordance with [our +security policy][5]. + +## Timeline of events + +* Wed, Sep 18, 2019 at 13:54 UTC - Bug reported to secu...@rust-lang.org +* Wed, Sep 18, 2019 at 15:35 UTC - Response confirming the report +* Wed, Sep 18, 2019 - Cargo, Core, and crates.io teams confer on how best to +handle this +* Thu, Sep 19, 2019 - Confirmed with Elichai plan of action and continued to +audit existing crates +* Mon, Sep 23, 2019 - Advisory drafted, patches developed, audit completed +* Mon, Sep 30, 2019 - Advisory published, security list informed of this issue + +## Acknowledgments + +Thanks to Elichai Turkel, who found this bug and reported it to us in accordance +with our [security policy][5]. + +## Links + +[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16760 +[1]: https://blog.rust-lang.org/2018/12/06/Rust-1.31-and-rust-2018.html#cargo-features +[2]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#renaming-dependencies-in-cargotoml +[3]: https://github.com/rust-lang/cargo/pull/4953 +[4]: https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992 +[5]: https://www.rust-lang.org/policies/security +""" + +[versions] +patched = [">= 1.26.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/rust/rustdoc/CVE-2018-1000622.toml b/vulnerabilities/tests/test_data/rust/advisory-db/rust/rustdoc/CVE-2018-1000622.toml new file mode 100644 index 000000000..2b8f618ee --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/rust/rustdoc/CVE-2018-1000622.toml @@ -0,0 +1,99 @@ +[advisory] +id = "CVE-2018-1000622" +package = "rustdoc" +date = "2018-07-05" +title = "Uncontrolled search path element vulnerability in rustdoc plugins" +categories = ["code-execution"] +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM" +cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" +description = """ +Rustdoc, if not passed the `--plugin-path` argument, defaults to +`/tmp/rustdoc/plugins`. `/tmp` is world-writable on many systems, and so an +attacker could craft a malicious plugin, place it in that directory, and the +victim would end up executing their code. This only occurs when the +`--plugin` argument is also passed. If you're not using that argument, then +the loading, and therefore the bug, will not happen. + +Because this feature is very difficult to use, and has been deprecated for +almost a year[2] with no comments on its usage, we don't expect this to +affect many users. For more details, read on. + +## Background + +Rustdoc has a "plugins" feature that lets you extend rustdoc. To write a +plugin, you create a library with a specific exposed symbol. You instruct +rustdoc to use this plugin, and it will load it, and execute the function as +a callback to modify rustdoc's AST. + +This feature is quite hard to use, because the function needs to take as +input and return as output Rustdoc's AST type. The Rust project does not ship +a copy of `librustdoc` to end users, and so they would have to synthesize +this type on their own. Furthermore, Rust's ABI is unstable, and so +dynamically loading a plugin is only guaranteed to work if the plugin is +compiled with the same compiler revision as the rustdoc that you're using. +Beyond that, the feature and how to use it are completely undocumented. + +Given all of this, we're not aware of any usage of plugins in the wild, +though the functionality still exists in the codebase. + +## Description of the attack + +If you pass the `--plugins` parameter, let's say with "foo", and *do not* +pass the `--plugin-path` parameter, rustdoc will look for the "foo" plugin +in /tmp/rustdoc/plugins. Given that /tmp is world-writable on many systems, +an attacker with access to your machine could place a maliciously crafted +plugin into /tmp/rustdoc/plugins, and rustdoc would then load the plugin, +and execute the attacker's callback, running arbitrary Rust code as your +user instead of theirs. + +## Affected Versions + +This functionality was introduced into rustdoc on December 31, 2013, in commit +14f59e890207f3b7a70bcfffaea7ad8865604111 [3]. That change was to rename +`/tmp/rustdoc_ng/plugins` to `/tmp/rustdoc/plugins`; The addition of this +search path generally came with the first commit to this iteration of rustdoc, +on September 22, 2013, in commit 7b24efd6f333620ed2559d70b32da8f6f9957385 [4]. + +## Mitigations + +To prevent this bug from happening on any version of Rust, you can always +pass the `--plugin-path` flag to control the path. This only applies if +you use the `--plugin` flag in the first place. + +For Rust 1.27, we'll be releasing a 1.27.1 on Tuesday with the fix, which +consists of requiring `--plugin-path` to be passed whenever `--plugin` +is passed. + +We will not be releasing our own fixes for previous versions of Rust, given +the low severity and impact of this bug. The patch to fix 1.27 should be +trivially applicable to previous versions, as this code has not changed in +a very long time. The patch is included at the end of this email. If you +need assistance patching an older version of Rust on your own, please reach +out to Steve Klabnik, st...@steveklabnik.com, and he'll be happy to help. + +On beta and nightly we will be removing plugins entirely. + +## Timeline of events + +* Tue, Jul 3, 2018 at 11:57 PM UTC - Bug reported to security@rust-lang.org +* Tue, Jul 3, 2018 at 12:13 PM UTC - Steve responds, confirming the bug +* Weds, Jul 4, 2018 - Steve works up an initial patch +* Thu, Jul 5, 2018 at 6:00 PM UTC - Rust team decides to not embargo this bug +* Fri, Jul 6, 2018 at 12:38 AM - Final patch created after feedback from Red Hat + +## Acknowledgements + +Thanks to Red Hat Product Security, which found this bug. And specifically to +Josh Stone, who took their findings and reported it to us in accordance with +our security policy https://www.rust-lang.org/security.html, as well as providing +feedback on the patch itself. You can find their bug at [5]. + +[1]: https://cwe.mitre.org/data/definitions/427.html +[2]: https://github.com/rust-lang/rust/issues/44136 +[3]: https://github.com/rust-lang/rust/commit/14f59e890207f3b7a70bcfffaea7ad8865604111 +[4]: https://github.com/rust-lang/rust/commit/7b24efd6f333620ed2559d70b32da8f6f9957385 +[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1597063 +""" + +[versions] +patched = ["> 1.27.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000657.toml b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000657.toml new file mode 100644 index 000000000..4fef3a451 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000657.toml @@ -0,0 +1,19 @@ +[advisory] +id = "CVE-2018-1000657" +package = "std" +date = "2018-08-20" +title = "Buffer overflow vulnerability in VecDeque::reserve()" +categories = ["code-execution", "denial-of-service"] +url = "https://github.com/rust-lang/rust/issues/44800" +description = """ +The `std::collections::vec_deque::VecDeque::reserve()` function contains a +buffer overflow vulnerability that can potentially result in arbitrary code +execution. +""" + +[affected.functions] +"std::collections::vec_deque::VecDeque::reserve" = ["< 1.22.0, >= 1.3.0"] + +[versions] +patched = [">= 1.22.0"] +unaffected = ["< 1.3.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000810.toml b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000810.toml new file mode 100644 index 000000000..295efcb29 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2018-1000810.toml @@ -0,0 +1,103 @@ +[advisory] +id = "CVE-2018-1000810" +package = "std" +date = "2018-09-21" +title = "Buffer overflow vulnerability in str::repeat()" +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0" +categories = ["denial-of-service", "memory-corruption"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" +description = """ +The Rust team was recently notified of a security vulnerability affecting +the `str::repeat` function in the standard library. If your code does not +use this function, it is not affected. + +## Overview + +This vulnerability is an instance of CWE-680: Integer Overflow to Buffer +Overflow[1]. + +The `str::repeat` function in the standard library allows repeating a +string a fixed number of times, returning an owned version of the final +string. The capacity of the final string is calculated by multiplying +the length of the string being repeated by the number of copies. This +calculation can overflow, and this case was not properly checked for. + +The rest of the implementation of `str::repeat` contains unsafe code +that relies on a preallocated vector having the capacity calculated +earlier. On integer overflow the capacity will be less than required, +and which then writes outside of the allocated buffer, leading to +buffer overflow. + +## Affected Versions + +While the `str::repeat` function has been in Rust since 1.16.0, this +vulnerability was introduced into the standard library in pull +request #48657 [2]. The pull request was merged on March 6, 2018 and +was first part of the 1.26.0 stable released on May 10, 2018. + +As such, this vulnerability affects: + +* Every nightly we've produced since March 6, 2018 +* Every beta produced since March 6, 2018 +* These specific Rust releases: + * 1.29.0 + * 1.28.0 + * 1.27.2 + * 1.27.1 + * 1.27.0 + * 1.26.2 + * 1.26.1 + * 1.26.0 + +## Mitigations + +This bug can be mitigated manually by auditing for calls to `str::repeat` +and testing if the resulting vector's capacity will overflow. If it does, +then the program should panic. + +For Rust 1.29, we'll be releasing a 1.29.1 on 2018-09-25 with the fix, +which consists of checking for overflow and deterministically panicking +if it happens. Nightlies and betas produced after 2019-09-21 will also +contain a fix for this issue. + +We will not be releasing our own fixes for previous versions of Rust. +The patch to fix 1.29 should roughly applicable to older versions, although +the implementation has seen a few refactorings since it was introduced. +The patch for 1.29 is included at the end of this email. If you +need assistance patching an older version of Rust on your own, please reach +out to our security mailing list, security@rust-lang.org, and we'll be happy +to help. + +The current beta and nightly channels will be updated with a fix for this +issue as well. + +## Timeline of events + +* Sun, Sep 16, 2018 at 20:24 PM - Bug reported to security@rust-lang.org +* Mon, Sep 17, 2018 at 14:19 PM - Steve responds, confirming the bug +* Tue, Sep 18, 2018 - Steve works up an initial patch +* Wed, Sep 19, 2018 - Core team confirms 1.29.1 release date +* Thu, Sep 20, 2018 - PRs posted to GitHub for +stable[3]/beta[4]/master[5] branches +* Fri, Sep 21, 2018 - Security list informed of this issue +* (planned) Tue, Sep 25, 2018 - Rust 1.29.1 is released with a fix for +this issue + +## Acknowledgements + +Thanks to Scott McMurray, who found this bug and reported it to us in +accordance with our security policy https://www.rust-lang.org/security.html. + +[1]: https://cwe.mitre.org/data/definitions/680.html +[2]: https://github.com/rust-lang/rust/pull/48657 +[3]: https://github.com/rust-lang/rust/pull/54397 +[4]: https://github.com/rust-lang/rust/pull/54398 +[5]: https://github.com/rust-lang/rust/pull/54399 +""" + +[affected.functions] +"std::str::repeat" = ["< 1.29.1, >= 1.26.0"] + +[versions] +patched = [">= 1.29.1"] +unaffected = ["< 1.26.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2019-12083.toml b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2019-12083.toml new file mode 100644 index 000000000..da1029634 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/rust/std/CVE-2019-12083.toml @@ -0,0 +1,98 @@ +[advisory] +id = "CVE-2019-12083" +package = "std" +date = "2019-05-13" +title = "Memory safety vulnerabilities arising from `Error::type_id`" +categories = ["memory-corruption"] +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/aZabeCMUv70" +description = """ +The Rust team was recently notified of a security vulnerability affecting +manual implementations of `Error::type_id` and their interaction with the +`Error::downcast` family of functions in the standard library. If your code +does not manually implement `Error::type_id` your code is not affected. + +## Overview + +The `Error::type_id` function in the standard library was stabilized in the +1.34.0 release on 2019-04-11. This function allows acquiring the concrete +`TypeId` for the underlying error type to downcast back to the original type. +This function has a default implementation in the standard library, but it can +also be overridden by downstream crates. For example, the following is +currently allowed on Rust 1.34.0 and Rust 1.34.1: + +``` +struct MyType; + +impl Error for MyType { + fn type_id(&self) -> TypeId { + // Enable safe casting to `String` by accident. + TypeId::of::() + } +} +``` + +When combined with the `Error::downcast*` family of methods this can enable +safe casting of a type to the wrong type, causing security issues such as out +of bounds reads/writes/etc. + +Prior to the 1.34.0 release this function was not stable and could not be +either implemented or called in stable Rust. + +## Affected Versions + +The `Error::type_id` function was first stabilized in Rust 1.34.0, released on +2019-04-11. The Rust 1.34.1 release, published 2019-04-25, is also affected. +The `Error::type_id` function has been present, unstable, for all releases of +Rust since 1.0.0 meaning code compiled with nightly may have been affected at +any time. + +## Mitigations + +Immediate mitigation of this bug requires removing manual implementations of +`Error::type_id`, instead inheriting the default implementation which is +correct from a safety perspective. It is not the intention to have +`Error::type_id` return `TypeId` instances for other types. + +For long term mitigation we are going to destabilize this function. This is +unfortunately a breaking change for users calling `Error::type_id` and for +users overriding `Error::type_id`. For users overriding it's likely memory +unsafe, but users calling `Error::type_id` have only been able to do so on +stable for a few weeks since the last 1.34.0 release, so it's thought that the +impact will not be too great to overcome. + +We will be releasing a 1.34.2 point release on 2019-05-14 (tomorrow) which +reverts [#58048][1] and destabilizes the `Error::type_id` function. The +upcoming 1.35.0 release along with the beta/nightly channels will also all be +updated with a destabilization. + +The final fate of the `Error::type_id` API isn't decided upon just yet and is +the subject of [#60784][2]. No action beyond destabilization is currently +planned so nightly code may continue to exhibit this issue. We hope to fully +resolve this in the standard library soon. + +## Timeline of events + +* Thu, May 9, 2019 at 14:07 PM - Bug reported to security@rust-lang.org +* Thu, May 9, 2019 at 15:10 PM - Alex reponds, confirming the bug +* Fri, May 10, 2019 - Plan for mitigation developed and implemented +* Mon, May 13, 2019 - PRs posted to GitHub for + [stable][3]/[beta][4]/[master][5] branches +* Mon, May 13, 2019 - Security list informed of this issue +* (planned) Tue, May 14, 2019 - Rust 1.34.2 is released with a fix for +this issue + +## Acknowledgements + +Thanks to Sean McArthur, who found this bug and reported it to us in accordance +with our security policy https://www.rust-lang.org/policies/security. + +[1]: https://github.com/rust-lang/rust/pull/58048 +[2]: https://github.com/rust-lang/rust/issues/60784 +[3]: https://github.com/rust-lang/rust/pull/60785 +[4]: https://github.com/rust-lang/rust/pull/60786 +[5]: https://github.com/rust-lang/rust/pull/60787 +""" + +[versions] +patched = ["> 1.34.1"] +unaffected = ["< 1.34.0"] diff --git a/vulnerabilities/tests/test_data/rust/advisory-db/support.toml b/vulnerabilities/tests/test_data/rust/advisory-db/support.toml new file mode 100644 index 000000000..1faaa8be2 --- /dev/null +++ b/vulnerabilities/tests/test_data/rust/advisory-db/support.toml @@ -0,0 +1,3 @@ +# Minimum supported version of the `rustsec` crate +[rustsec] +version = ">= 0.12" diff --git a/vulnerabilities/tests/test_data_source.py b/vulnerabilities/tests/test_data_source.py new file mode 100644 index 000000000..2569ec577 --- /dev/null +++ b/vulnerabilities/tests/test_data_source.py @@ -0,0 +1,253 @@ +# Copyright (c) 2017 nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode require an acknowledgment. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. +import os +from unittest.mock import patch, MagicMock + +import pygit2 +import pytest + +from vulnerabilities.data_source import GitDataSource, _include_file +from vulnerabilities.data_source import InvalidConfigurationError + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, 'test_data/') + + +def mk_ds(**kwargs): + # just for convenience, since this is a manadory parameter we always pass a value + if 'repository_url' not in kwargs: + kwargs['repository_url'] ='asdf' + + # batch_size is a required parameter of the base class, unrelated to these tests + return GitDataSource(batch_size=100, config=kwargs) + + +def test_GitDataSource_repository_url_required(no_mkdir, no_rmtree): + + with pytest.raises(InvalidConfigurationError): + GitDataSource(batch_size=100) + + +def test_GitDataSource_validate_configuration_create_working_directory_must_be_set_when_working_directory_is_default( + no_mkdir, no_rmtree): + + with pytest.raises(InvalidConfigurationError): + mk_ds(create_working_directory=False) + + +def test_GitDataSource_validate_configuration_remove_working_directory_must_be_set_when_working_directory_is_default( + no_mkdir, no_rmtree): + + with pytest.raises(InvalidConfigurationError): + mk_ds(remove_working_directory=False) + + +@patch('os.path.exists', return_value=True) +def test_GitDataSource_validate_configuration_remove_working_directory_is_applied(no_mkdir, no_rmtree): + + ds = mk_ds(remove_working_directory=False, working_directory='/some/directory') + + assert not ds.config.remove_working_directory + + +def test_GitDataSource_validate_configuration_working_directory_must_exist_when_create_working_directory_is_not_set( + no_mkdir, no_rmtree): + + with pytest.raises(InvalidConfigurationError): + mk_ds(working_directory='/does/not/exist', create_working_directory=False) + + +@patch('os.path.exists', return_value=False) +@patch('shutil.rmtree') +@patch('pygit2.clone_repository') +@patch('os.mkdir') +def test_GitDataSource_contextmgr_working_directory_is_created_and_removed(mkdir, clone_repository, rmtree, _): + + wd = '/some/working/directory' + ds = mk_ds(working_directory=wd, create_working_directory=True, remove_working_directory=True) + + with ds: + assert wd == ds.config.working_directory + assert mkdir.called_with(wd) + + assert clone_repository.called_with('asdf', wd, checkout_branch=ds.config.branch) + assert rmtree.called_with(wd) + + +@patch('shutil.rmtree') +@patch('pygit2.clone_repository') +@patch('tempfile.mkdtemp', return_value='/fake/tempdir') +def test_GitDataSource_contextmgr_calls_mkdtemp_if_working_directory_is_not_set(mkdtemp, *_): + + ds = mk_ds() + + with ds: + assert mkdtemp.called + assert ds.config.working_directory == '/fake/tempdir' + + +@patch('os.path.exists', return_value=True) +@patch('pygit2.Repository') +@patch('pygit2.clone_repository') +@patch('pygit2.discover_repository', return_value='/fake/tempdir/.git') +def test_GitDataSource_contextmgr_uses_existing_repository(discover_repository, clone_repository, _, no_mkdir, + no_rmtree): + + ds = mk_ds(working_directory='/fake/tempdir', create_working_directory=False, remove_working_directory=False) + + with ds: + assert discover_repository.called + assert not clone_repository.called + + +@patch('os.path.exists', return_value=True) +@patch('pygit2.discover_repository', return_value='/fake/tempdir/.git') +@patch('pygit2.Repository') +def test_GitDataSource_contextmgr_switches_branch(Repository, discover_repository, exists, no_mkdir, no_rmtree): + + mock_repo, mock_remote, mock_remote_origin, mock_remote_other = MagicMock(), MagicMock(), MagicMock(), MagicMock() + mock_master, mock_custom, mock_remote_custom = MagicMock(), MagicMock(), MagicMock() + + mock_master.is_checked_out = lambda: True + mock_custom.is_checked_out = lambda: False + mock_repo.branches = {'master': mock_master, 'custom': mock_custom, 'origin/custom': mock_remote_custom} + + repository_url = 'https://foo/bar/baz.git' + mock_remote.url = repository_url + mock_remote.name = 'origin' + mock_repo.remotes = [mock_remote] + Repository.return_value = mock_repo + + ds = mk_ds( + repository_url=repository_url, + working_directory='/fake/tempdir', + create_working_directory=False, + remove_working_directory=False, + branch='custom', + ) + + with ds: + mock_repo.checkout.assert_called_with(mock_custom, strategy=pygit2.GIT_CHECKOUT_FORCE) + + +@patch('os.path.exists', return_value=True) +@patch('pygit2.discover_repository', return_value='/fake/tempdir/.git') +@patch('pygit2.Repository') +def test_GitDataSource_contextmgr_fetches_from_remote_in_already_cloned_repository(Repository, discover_repository, + exists, no_mkdir, no_rmtree): + + mock_repo, mock_remote_origin, mock_remote_other = MagicMock(), MagicMock(), MagicMock() + mock_branch, mock_remote_branch = MagicMock(), MagicMock() + + repository_url = 'https://foo/bar/baz.git' + mock_remote_origin.url = repository_url + mock_remote_origin.name = 'origin' + mock_remote_other.url = 'https://some/other/url.git' + mock_repo.remotes = [mock_remote_other, mock_remote_origin] + + mock_remote_branch.target = 'asdf' + mock_remote_branch.shorthand = 'origin/master' + mock_repo.head.shorthand = 'master' + mock_repo.branches = {'master': mock_branch, 'origin/master': mock_remote_branch} + + Repository.return_value = mock_repo + + ds = mk_ds( + repository_url=repository_url, + working_directory='/fake/tempdir', + create_working_directory=False, + remove_working_directory=False, + ) + + with ds: + assert mock_remote_origin.fetch.called + assert not mock_remote_other.fetch.called + + +@patch('os.path.exists', return_value=True) +@patch('pygit2.discover_repository', return_value='/fake/tempdir/.git') +@patch('pygit2.Repository') +def test_GitDataSource_contextmgr_adds_missing_remote_to_already_cloned_repository(Repository, discover_repository, + exists, no_mkdir, no_rmtree): + + mock_repo, mock_remote, mock_branch, mock_remote_branch = MagicMock(), MagicMock(), MagicMock(), MagicMock() + + repository_url = 'https://foo/bar/baz.git' + mock_remote_branch.target = 'asdf' + mock_remote_branch.shorthand = 'added_by_vulnerablecode/master' + mock_repo.head.shorthand = 'master' + mock_repo.branches = {'master': mock_branch, 'added_by_vulnerablecode/master': mock_remote_branch} + + mock_remote.name = 'added_by_vulnerablecode' + mock_remote.url = repository_url + mock_repo.remotes = MagicMock() + mock_repo.remotes.create.return_value = mock_remote + Repository.return_value = mock_repo + + ds = mk_ds( + repository_url=repository_url, + working_directory='/fake/tempdir', + create_working_directory=False, + remove_working_directory=False, + ) + + with ds: + mock_repo.remotes.create.assert_called_once_with('added_by_vulnerablecode', repository_url) + + +def test_GitDataSource_added_files_returns_all_when_cutoff_date_is_None(): + + wd = os.path.join(TEST_DATA, 'rust', 'advisory-db') + ds = mk_ds(working_directory=wd) + + added_files = ds.added_files(subdir='rust', recursive=True, file_ext='toml') + + assert set(added_files) == { + 'cargo/CVE-2019-16760.toml', + 'rustdoc/CVE-2018-1000622.toml', + 'std/CVE-2018-1000657.toml', + 'std/CVE-2018-1000810.toml', + 'std/CVE-2019-12083.toml', + } + + +def test_GitDataSource_updated_files_returns_none_when_cutoff_date_is_None(): + + wd = os.path.join(TEST_DATA, 'rust', 'advisory-db') + ds = mk_ds(working_directory=wd) + + updated_files = ds.updated_files() + + assert len(updated_files) == 0 + + +def test__include_file(): + + assert _include_file('foo.json', subdir=None, recursive=False, file_ext=None) + assert not _include_file('foo/bar.json', subdir=None, recursive=False, file_ext=None) + assert _include_file('foo/bar.json', subdir='foo/', recursive=False, file_ext=None) + assert _include_file('foo/bar.json', subdir='foo', recursive=False, file_ext=None) + assert not _include_file('foobar.json', subdir='foo', recursive=False, file_ext=None) + assert _include_file('foo/bar.json', subdir=None, recursive=True, file_ext=None) + assert not _include_file('foo/bar.json', subdir=None, recursive=True, file_ext='yaml') + assert _include_file('foo/bar/baz.json', subdir='foo', recursive=True, file_ext='json') + assert not _include_file('bar/foo/baz.json', subdir='foo', recursive=True, file_ext='json')