near / near-sdk-rs

Rust library for writing NEAR smart contracts
https://near-sdk.io
Apache License 2.0
458 stars 247 forks source link

Potentially replace unmaintained libraries ignored in audit.toml. #1203

Open ruseinov opened 4 months ago

ruseinov commented 4 months ago

And revisit other ignores.

https://github.com/near/near-sdk-rs/blob/master/.cargo/audit.toml

MPSxDev commented 3 months ago

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I am a process engineer and I have a high problem-solving capacity. I am currently co-founder and developer of my own startup.

How I plan on tackling this issue

My work can be divided into 3 stages:

  1. Research new solutions from other updated libraries
  2. Deploy locally to see its usage and avoid errors or problems.
  3. Implement until the desired goal is achieved.

This is my first ODack I hope to contribute a lot, I am available to start immediately

frol commented 3 months ago

@MPSxDev Go for it!

MPSxDev commented 3 months ago

Research Outcome:

This is the research work carried out, first checking that the repositories are maintained and active, and then verifying the existence of documentation in docs.rs. Below I leave the points found in the audit.toml file

Atty: This is no longer maintained 2 years ago an alternative:

Wee_alloc: This has not been maintained for 3 years, a solution may be to implement

curve25519-dalek: Because it has vulnerabilities I found this alternative:

I look forward to your comments and any other requests that may be required.

frol commented 3 months ago

We had a prior discussion about wee_alloc and decided to keep it: https://github.com/near/near-sdk-rs/pull/1151

atty, curve25519-dalek - they are not direct dependencies, right? Can we update any of direct dependencies to fix it?

MPSxDev commented 3 months ago

image

frol commented 3 months ago

@MPSxDev near-sdk-rs does not directly depend on atty. Please, inspect the dependencies tree to identify which crates we need to update in order to upgrade/eliminate atty and curve25519-dalek. Once identified, we could make a decision whether we can contribute the fix to those dependencies as there is nothing near-sdk-rs can do about it directly.

MPSxDev commented 2 months ago

After a thorough investigation of the packages that include the involved dependencies.

These include the atty dependency:

These include ed25519-dalek ( include curve25519-dalek):

Below are the affected packages used, including the current version and whether they continue to use these affected dependencies.

In summary, the following steps should be taken:

  1. Migrate from atty to std.io.IsTerminal in cargo-near.
  2. Update env_logger to the latest version.
  3. For near-crypto, near-cli-rs, and near-vm-runner, use versions higher than v2 for ed25519-dalek, which according to rustec.org includes the patch for the vulnerability in versions >=2.
  4. For all mentioned in point 4, since ed25519-dalek uses curve25519-dalek as a dependency, version >=4.1.3 should be used.
frol commented 2 months ago

@MPSxDev Great summary! We definitely can act on the first two steps immediately. slip10 has been replaced with slipped10, and that should have been subsequently updated in the recent near-cli-rs and cargo-near releases. Can you give it a try upgrading the dependencies and authoring the atty PR to cargo-near as part of this issue?

MPSxDev commented 2 months ago

@frol Thank you very much. Yes, I can try to update this. If I have any questions, I will let you know.

MPSxDev commented 2 months ago

This issue should be closed, I have already done the audit on the latest version and there is no presence of atty and the versions of other dependencies are already updated to versions without the vulnerability. @frol