search

refraction-networking / conjure

Conjure Refraction Networking station code
https://refraction.network
Apache License 2.0
66 stars 19 forks source link

Update rust chrono dep to (maybe) fix dependency alert #220

Closed jmwample closed 10 months ago

jmwample commented 10 months ago

The dependency on the chrono crate in src/logging.rs for Local::Now() which returns a DateTime and then the subsequent formatting mean that we import chrono. On some execution paths chrono calls libc::localtime_r which can crash. I don't think that we run that execution path, but it isn't impossible.

Hopefully updating to 0.4.27 fixes this. Chrono is a widely used datetime crate in rust.

https://github.com/refraction-networking/conjure/security/dependabot/8

jmwample commented 10 months ago

Turns out this is not a solution to the security notice. However, which chrono imports the older version of time that is vulnerable, chrono itself shouldn't have that in any execution path according to 

$ cargo audit              
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 562 security advisories (from /.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (126 crate dependencies)
Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.27
    └── rust_dark_decoy 0.0.1

error: 1 vulnerability found!

The solution seems to be replacing chrono with the time crate.

 $ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 562 security advisories (from /.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (113 crate dependencies)

We can achieve equivalent logging with: 

use chrono::Local;
use time::OffsetDateTime;
use time::macros::format_description;

fn main() {
    let t = Local::now();
    let t_s = t.format("%Y-%m-%d %H:%M:%S.%f %z").to_string();
    println!("{t_s}");

    let t_1 = OffsetDateTime::now_local().unwrap();
    let formatter = format_description!("[year]-[month]-[day] [hour]:[minute]:[second].[subsecond digits:9] [offset_hour][offset_minute]");
    println!("{}", t_1.format(formatter).unwrap());
}
2023-08-30 15:15:40.956179666 -0600
2023-08-30 15:15:40.956287238 -0600