chore(deps): update rust crate serde_with to 3.21.0 [security] #16
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/crate-serde_with-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
3.7.0→3.21.0serde_with: KeyValueMap serialization panics on empty sequence or map entries
GHSA-7gcf-g7xr-8hxj
More information
Details
Summary
The public
KeyValueMapserializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts1from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through#[serde_as(as = "KeyValueMap<_>")]can be crashed by an empty inner sequence or map entry.Details
The affected public surface includes:
#[serde_as(as = "KeyValueMap<_>")]values throughserde_json::to_stringor any other Serde serializer`KeyValueMapconversions for sequence and map-backed entries`The root cause is: The
KeyValueMapserializer preallocatingVec::with_capacity(len - 1)orVec::with_capacity(len.unwrap_or(17) - 1)before checking that the element actually contains the required first key field or item.The vulnerable data/control flow is: attacker-controlled empty entry ->
serde_json::to_string->KeyValueMap<TAs>::serialize_as->SeqAsMapSerializer::{serialize_seq,serialize_map}->Vec::with_capacity(len - 1)orVec::with_capacity(len.unwrap_or(17) - 1)-> panicRelevant source locations:
serde_with/src/key_value_map.rs:590serde_with/src/key_value_map.rs:599serde_with/src/key_value_map.rs:613serde_with/src/key_value_map.rs:632serde_with/src/key_value_map.rs:648PoC
Impact
A local attacker who can trigger serialization of attacker-controlled data through
KeyValueMapcan terminate the process, causing a denial of service.Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
jonasbb/serde_with (serde_with)
v3.21.0: serde_with v3.21.0Compare Source
Security
GHSA-7gcf-g7xr-8hxj: KeyValueMap serialization panics on empty sequence or map entries
Bad or attacker controlled values could cause a panic while allocating too large values.
Fixed in #966 by setting a maximum allocation size during the creation of collections like
Vecor sets.Thanks to @7thParkk for reporting the issue.
Added
NoneAsZeroadapter that mapsOption<NonZero*>to a plain integer, encodingNoneas0by @SAY-5 (#486)Changed
Fixed
unused_qualificationsand fix the resulting findings by @lms0806 (#962)v3.20.0: serde_with v3.20.0Compare Source
Added
base58encoding, similar to the existingbase64setup by @mitinarseny (#943)Fixed
base64withschemarssupport by @mitinarseny (#9949)v3.19.0: serde_with v3.19.0Compare Source
Added
Add support for
hashbrownv0.17 (#940)This extends the existing support for
hashbrownto the newly released version.v3.18.0: serde_with v3.18.0Compare Source
Added
OneOrManywith more sequence and set types (#929)Changed
darlingdependencyv3.17.0: serde_with v3.17.0Compare Source
Added
OneOrManywithsmallvecv1 (#920, #922)Changed
yaml_serdefor a maintained yaml dependency by @kazan417 (#921)yaml_serdedev-dependency.v3.16.1: serde_with v3.16.1Compare Source
Fixed
JsonSchemaAsofSetPreventDuplicatesandSetLastValueWins. (#906, #907)v3.16.0: serde_with v3.16.0Compare Source
Added
smallvecv1 under thesmallvec_1feature flag by @isharma228 (#895)JsonSchemaAsimplementation forjson::JsonStringby @yogevm15 (#901)v3.15.1: serde_with v3.15.1Compare Source
Fixed
serde_core.v3.15.0: serde_with v3.15.0Compare Source
Added
Added error inspection to
VecSkipErrorandMapSkipErrorby @michelhe (#878)This allows interacting with the previously hidden error, for example for logging.
Checkout the newly added example to both types.
Allow documenting the types generated by
serde_conv!.The
serde_conv!macro now acceps outer attributes before the optional visibility modifier.This allow adding doc comments in the shape of
#[doc = "..."]or any other attributes, such as lint modifiers.Add support for
hashbrownv0.16 (#877)This extends the existing support for
hashbrownv0.14 and v0.15 to the newly released version.Changed
tomldev-dependency.v3.14.1: serde_with v3.14.1Compare Source
Fixed
Since macros are used to generate trait implementations, this is useful to understand the exact generated code.
v3.14.0: serde_with v3.14.0Compare Source
Added
Range,RangeFrom,RangeTo,RangeInclusive(#851)RangeToInclusiveis currently unsupported by serde.schemarsimplementations forBound,Range,RangeFrom,RangeTo,RangeInclusive.schemarsv1 under theschemars_1feature flagv3.13.0: serde_with v3.13.0Compare Source
Added
schemarsv0.9.0 under theschemars_0_9feature flag by @swlynch99 (#849)SerializeDisplayAltderive macro (#833)An alternative to the
SerializeDisplaymacro except instead of using theplain formatting like
format!("{}", ...), it serializes with theFormatter::alternateflag set to true, likeformat!("{:#}", ...)Changed
serde_with::rust::unwrap_or_skipto support deserializing references by @beroal (#832)jsonschemadev-dependency.serde_convavailable without thestdfeature by @arilou (#839)schemarsv0.9.0 by @swlynch99 (#849)Fixed
DurationSecondstypes and other variants more accessible even withoutstd(#845)v3.12.0: serde_with v3.12.0Compare Source
Added
with_suffix!macro, which puts a suffix on every struct field by @fgardt (#381/#797)Changed
Cargo.tomlfiles by @nyurik (#803)Fixed
v3.11.0: serde_with v3.11.0Compare Source
Added
Add support for
hashbrownv0.15 (#787/#790)This extends the existing support for
hashbrownv0.14 to the newly released version.v3.10.0: serde_with v3.10.0Compare Source
Added
Add newline separator by @jayvdb (#777)
The
UnixLineSeparatorandDosLineSeparatorcan be used together withStringWithSeparator.Fixed
Proper handling of
cfg_attrin theserde_asmacro by @sivizius (#782)This allows to parse more valid forms of the
cfg_attrmacro, including multiple values and attribute that do not follow thekey = valueschema.v3.9.0: serde_with v3.9.0Compare Source
Added
Deserialize a map` and skip all elements failing to deserialize by @johnmave126 (#763)
MapSkipErroracts like a map (HashMap/BTreeMap), but keys or values that fail to deserialize, like are ignored.For formats with heterogeneously typed maps, we can collect only the elements where both key and value are deserializable.
This is also useful in conjunction to
#[serde(flatten)]to ignore some entries when capturing additional fields.v3.8.3: serde_with v3.8.3Compare Source
Fixed
schemars_0_8is used with thepreserve_orderfeatures (#762)v3.8.2: serde_with v3.8.2Compare Source
Changed
timedependency.The
timeversion needed to be updated for nightly compatibility.Fixed
JsonSchemaAsforOneOrManyinstead ofJsonSchemaby @swlynch99 (#760)v3.8.1: serde_with v3.8.1Compare Source
Fixed
schemars(deserialize_with = "...")annotations, asschemarsdoes not support them (#735)Thanks to @sivizius for reporting the issue.
v3.8.0: serde_with v3.8.0Compare Source
Added
JsonSchemaAsforPickFirstby @swlynch99 (#721)Changed
base64dependency to v0.22 (#724)Fixed
serde_convregressed and triggeredclippy::ptr_argand add test to prevent future problems. (#731)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.