vi / websocat

Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions
MIT License
7.18k stars 278 forks source link

Security vulnerabilities found by cargo audit #277

Open mnhauke opened 1 week ago

mnhauke commented 1 week ago

Hello, I am one of the [openSUSE websocat package]() maintainers.

The package build routines nowadays include a check via cargo audit to only allow updates without security vulnerabilities. The current version v1.14.0 fails that check because of the following discovered vulnerabilities:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 686 security advisories (from /home/mhauke/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (224 crate dependencies)
Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
├── websocket 0.27.1
│   └── websocat 1.14.0
└── websocat 1.14.0

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     openssl
Version:   0.10.64
Title:     `MemBio::get_buf` has undefined behavior with empty buffers
Date:      2024-07-21
ID:        RUSTSEC-2024-0357
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0357
Solution:  Upgrade to >=0.10.66
Dependency tree:
openssl 0.10.64
└── native-tls 0.2.11
    ├── websocket-base 0.26.5
    │   ├── websocket 0.27.1
    │   │   └── websocat 1.14.0
    │   └── websocat 1.14.0
    ├── websocket 0.27.1
    ├── websocat 1.14.0
    └── tokio-tls 0.2.1
        ├── websocket-base 0.26.5
        ├── websocket 0.27.1
        └── websocat 1.14.0

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── hyper 0.10.16
    ├── websocket 0.27.1
    │   └── websocat 1.14.0
    └── websocat 1.14.0

Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22
├── websocat 1.14.0
├── tokio-named-pipes 0.1.0
│   └── websocat 1.14.0
└── tk-listen 0.2.1
    └── websocat 1.14.0

Crate:     anymap
Version:   0.12.1
Warning:   unmaintained
Title:     anymap is unmaintained.
Date:      2021-05-07
ID:        RUSTSEC-2021-0065
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0065
Dependency tree:
anymap 0.12.1
└── websocat 1.14.0

Crate:     atty
Version:   0.2.14
Warning:   unmaintained
Title:     `atty` is unmaintained
Date:      2024-09-25
ID:        RUSTSEC-2024-0375
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0375
Dependency tree:
atty 0.2.14
└── websocat 1.14.0

Crate:     derivative
Version:   1.0.4
Warning:   unmaintained
Title:     `derivative` is unmaintained; consider using an alternative
Date:      2024-06-26
ID:        RUSTSEC-2024-0388
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0388
Dependency tree:
derivative 1.0.4
└── websocat 1.14.0

Crate:     net2
Version:   0.2.39
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.39
├── websocat 1.14.0
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── tokio-uds 0.2.7
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       │       ├── websocat 1.14.0
│       │       ├── tokio-named-pipes 0.1.0
│       │       │   └── websocat 1.14.0
│       │       └── tk-listen 0.2.1
│       │           └── websocat 1.14.0
│       ├── tokio-udp 0.1.6
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-tcp 0.1.4
│       │   ├── websocket-base 0.26.5
│       │   │   ├── websocket 0.27.1
│       │   │   │   └── websocat 1.14.0
│       │   │   └── websocat 1.14.0
│       │   ├── websocket 0.27.1
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-signal 0.2.9
│       │   ├── websocat 1.14.0
│       │   └── tokio-process 0.2.5
│       │       └── websocat 1.14.0
│       ├── tokio-reactor 0.1.12
│       │   ├── websocket 0.27.1
│       │   ├── websocat 1.14.0
│       │   ├── tokio-uds 0.2.7
│       │   ├── tokio-udp 0.1.6
│       │   ├── tokio-tcp 0.1.4
│       │   ├── tokio-signal 0.2.9
│       │   ├── tokio-process 0.2.5
│       │   ├── tokio-file-unix 0.5.1
│       │   │   └── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-process 0.2.5
│       ├── tokio-named-pipes 0.1.0
│       ├── tokio-file-unix 0.5.1
│       ├── tokio 0.1.22
│       ├── mio-uds 0.6.8
│       │   ├── tokio-uds 0.2.7
│       │   └── tokio-signal 0.2.9
│       └── mio-named-pipes 0.1.7
│           ├── tokio-process 0.2.5
│           └── tokio-named-pipes 0.1.0
└── mio 0.6.23

Crate:     safemem
Version:   0.3.3
Warning:   unmaintained
Title:     safemem is unmaintained
Date:      2023-02-14
ID:        RUSTSEC-2023-0081
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
└── base64 0.9.3
    └── hyper 0.10.16
        ├── websocket 0.27.1
        │   └── websocat 1.14.0
        └── websocat 1.14.0

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
    ├── websocket 0.27.1
    │   └── websocat 1.14.0
    └── websocat 1.14.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145

Crate:     crossbeam-queue
Version:   0.1.2
Warning:   unsound
Title:     `SegQueue` creates zero value of any type
Date:      2022-05-10
ID:        RUSTSEC-2022-0021
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0021
Dependency tree:
crossbeam-queue 0.1.2
└── tokio-process 0.2.5
    └── websocat 1.14.0

Crate:     crossbeam-utils
Version:   0.6.6
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.6.6
└── crossbeam-queue 0.1.2
    └── tokio-process 0.2.5
        └── websocat 1.14.0

Crate:     crossbeam-utils
Version:   0.7.2
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.7.2
├── tokio-timer 0.2.13
│   ├── websocat 1.14.0
│   └── tokio 0.1.22
│       ├── websocat 1.14.0
│       ├── tokio-named-pipes 0.1.0
│       │   └── websocat 1.14.0
│       └── tk-listen 0.2.1
│           └── websocat 1.14.0
├── tokio-threadpool 0.1.18
│   ├── tokio-fs 0.1.7
│   │   └── tokio 0.1.22
│   └── tokio 0.1.22
├── tokio-reactor 0.1.12
│   ├── websocket 0.27.1
│   │   └── websocat 1.14.0
│   ├── websocat 1.14.0
│   ├── tokio-uds 0.2.7
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-udp 0.1.6
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-tcp 0.1.4
│   │   ├── websocket-base 0.26.5
│   │   │   ├── websocket 0.27.1
│   │   │   └── websocat 1.14.0
│   │   ├── websocket 0.27.1
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-signal 0.2.9
│   │   ├── websocat 1.14.0
│   │   └── tokio-process 0.2.5
│   │       └── websocat 1.14.0
│   ├── tokio-process 0.2.5
│   ├── tokio-file-unix 0.5.1
│   │   └── websocat 1.14.0
│   └── tokio 0.1.22
├── tokio-executor 0.1.10
│   ├── tokio-timer 0.2.13
│   ├── tokio-threadpool 0.1.18
│   ├── tokio-signal 0.2.9
│   ├── tokio-reactor 0.1.12
│   ├── tokio-current-thread 0.1.7
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   └── tokio 0.1.22
├── crossbeam-queue 0.2.3
│   └── tokio-threadpool 0.1.18
├── crossbeam-epoch 0.8.2
│   └── crossbeam-deque 0.7.4
│       └── tokio-threadpool 0.1.18
└── crossbeam-deque 0.7.4

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     lock_api
Version:   0.3.4
Warning:   unsound
Title:     Some lock_api lock guard objects can cause data races
Date:      2020-11-08
ID:        RUSTSEC-2020-0070
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0070
Dependency tree:
lock_api 0.3.4
└── parking_lot 0.9.0
    └── tokio-reactor 0.1.12
        ├── websocket 0.27.1
        │   └── websocat 1.14.0
        ├── websocat 1.14.0
        ├── tokio-uds 0.2.7
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        │       ├── websocat 1.14.0
        │       ├── tokio-named-pipes 0.1.0
        │       │   └── websocat 1.14.0
        │       └── tk-listen 0.2.1
        │           └── websocat 1.14.0
        ├── tokio-udp 0.1.6
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        ├── tokio-tcp 0.1.4
        │   ├── websocket-base 0.26.5
        │   │   ├── websocket 0.27.1
        │   │   └── websocat 1.14.0
        │   ├── websocket 0.27.1
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        ├── tokio-signal 0.2.9
        │   ├── websocat 1.14.0
        │   └── tokio-process 0.2.5
        │       └── websocat 1.14.0
        ├── tokio-process 0.2.5
        ├── tokio-file-unix 0.5.1
        │   └── websocat 1.14.0
        └── tokio 0.1.22

Crate:     memoffset
Version:   0.5.6
Warning:   unsound
Title:     memoffset allows reading uninitialized memory
Date:      2023-06-21
ID:        RUSTSEC-2023-0045
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0045
Dependency tree:
memoffset 0.5.6
└── crossbeam-epoch 0.8.2
    └── crossbeam-deque 0.7.4
        └── tokio-threadpool 0.1.18
            ├── tokio-fs 0.1.7
            │   └── tokio 0.1.22
            │       ├── websocat 1.14.0
            │       ├── tokio-named-pipes 0.1.0
            │       │   └── websocat 1.14.0
            │       └── tk-listen 0.2.1
            │           └── websocat 1.14.0
            └── tokio 0.1.22

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 5 vulnerabilities found!
warning: 14 allowed warnings found
vi commented 1 week ago

Such things is one of the reasons (or maybe a primary reason) why I rewritten it using modern dependencies.

It is impractical to close all those things - maybe porting the features to 4.0.0 branch would be simpler.

I hope that most of the things should not be (easily) reachable from Websocat. For example:

Lenient hyper header parsing of Content-Length could allow request smuggling

Websockets do not use Content-Length field.

Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss

WebSockets do not use Transfer-Encoding.

Potential segfault in the time crate

As far as I remember, it's about environment variables and setting timezone or something like that. Obviously Websocat does not use set_env.

In general RUSTSECs rarely directly translate to exploitable vulnerabilities.

The most important security-related dependency - OpenSSL - should be up to date even with v1 branch.


Maybe try to package v4.0.0-alpha1 instead?

The only cargo audit warning there is that "instant is unmaintained" (RUSTSEC-2024-0384) (coming from a transitive dependency).

Note that a lot of Websocat1 features are missing at the moment (porting is tracked at #276). If Websocat is unpackaged at the moment it may be less of a problem, but automatic update from v1.13 to 4.0.0-alpha1 may be not a good idea.


The current version v1.14.0 fails that check

Is it the first time OpenSUSE packages Websocat (i.e. v1.14.0 is a starting version) or it is an update?

v1.14.0 is not significantly different from v1.13.0, v1.12.0 and so in this regard - master branch stuck with legacy deps for a long time.

Maybe cargo audit requirement is a new one?

The only correctness change of v1.14 compared to v1.13 is prioritisation of pong replies over normal traffic. The rest are somewhat minor features, so sticking with 1.13 for some time should not be a large problem.

mnhauke commented 1 week ago

websocat is currently only available in the "network:utilities" add-on repository and not (yet) in of openSUSE's official distributions like Tumbleweed, Leap, ...

It's a package update but passing "cargo audit" is a new requirement for packages since some time (at least for those in the official distribution) thus the package builds are failing.

websocat v1.14 https://build.opensuse.org/package/show/home:mnhauke/websocat with the following settings to workaround build errors https://build.opensuse.org/projects/home:mnhauke/packages/websocat/files/_service?expand=1 ...

     <param name="i-accept-the-risk">RUSTSEC-2021-0078</param>
     <param name="i-accept-the-risk">RUSTSEC-2021-0079</param>
     <param name="i-accept-the-risk">RUSTSEC-2021-0124</param>

websocat 4.0.0-alpha1 https://build.opensuse.org/package/show/home:mnhauke:test/websocat ... looks better in general and once it's considered "stable" definitely the version I sooner or later want to push towards the official openSUSE distributions.

vi commented 1 week ago

i-accept-the-risk RUSTSEC-2021-0078 RUSTSEC-2021-0079 RUSTSEC-2021-0124

Shall I review those specific RUSTSECs how (and if) they affect Websocat1?

once it's considered "stable"

It may take a while. Next Websocat4 release would probably be "beta" or something like that.

mnhauke commented 1 week ago

i-accept-the-risk RUSTSEC-2021-0078 RUSTSEC-2021-0079 RUSTSEC-2021-0124

Shall I review those specific RUSTSECs how (and if) they affect Websocat1?

That would be nice.

once it's considered "stable"

It may take a while. Next Websocat4 release would probably be "beta" or something like that.

Thanks for letting me know.

vi commented 1 week ago

RUSTSEC-2021-0078

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

GET / HTTP/1.1
Host: example.com
Content-Length: +3

abc

To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. desync attack Request Smuggling

This looks like a minor, obscure thing. I'm not even sure that accepting more requests that RFC suggest is a real problem - buggy proxies (especially usage of them for security) may be the real problem instead.

Websocat accept HTTP requests in two ways:

There are no mentions of Content-Length there. When accepting a Websocket connection - it accepts anything there (0, 3, +3, -3, qqq) - it does not attempt to fully validate the request and only looks at essential fields. When accepting a body for http-post-sse: mode, it does not attempt to follow any complicated HTTP standards - just parses enough of HTTP header to know whether it is POST or GET and to know when header ends and body begins (which is streams as is, without any interpretation).

Vulnerability score seems to be somewhat inflated for this. And Websocat (at least as of version 1) does not aim to cross the t-s and dot the i-s regarding to web standards anyway. Websocat4 may be a bit better in that regard, but mostly implicitly (by using more modern dependencies).


RUSTSEC-2021-0079

Integer Overflow in Chunked Transfer-Encoding

GET / HTTP/1.1
Host: example.com
Transfer-Encoding: chunked

f0000000000000003
abc
0

"request smuggling" or "desync attacks" CVSS Score: 9.1 CRITICAL

How can "desync" even get such high score if it relies on a bad proxy?

Websocat just does not support Transfer-Encoding at all. Typically it just upgrades to a WebSocket (or expects an upgrade to a WebSocket) or serves a static file (it does not attempt to read request body in this case). http-post-sse: would just inline all those body headers as a data (not interpreting it as headers or chunks or whatever).


RUSTSEC-2021-0124

tokio: Race leads to panic in oneshot::Sender::send() When these methods are called concurrently ...

Websocat1 uses futures::unsync for channel needs. Additionally async part of Websocat1 is mostly single-threaded, so concurrency issues should not affect it.