Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cargo audit vuln ignored: RUSTSEC-2020-0043 #1669

Closed
paulhauner opened this issue Sep 26, 2020 · 4 comments
Closed

Cargo audit vuln ignored: RUSTSEC-2020-0043 #1669

paulhauner opened this issue Sep 26, 2020 · 4 comments
Labels
A1 infra-ci low-hanging-fruit Easy to resolve, get it before someone else does! security

Comments

@paulhauner
Copy link
Member

paulhauner commented Sep 26, 2020

Description

In #1670 I am going to add --ignore RUSTSEC-2020-0043 here:

cargo audit

So we can suppress this error which prevents CI from passing:

ID:       RUSTSEC-2020-0043
Crate:    ws
Version:  0.9.1
Date:     2020-09-25
URL:      https://rustsec.org/advisories/RUSTSEC-2020-0043
Title:    Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
Solution:  No safe upgrade is available!
Dependency tree:
ws 0.9.1
└── websocket_server 0.2.0
    ├── client 0.2.0
    │   └── beacon_node 0.2.11
    │       ├── node_test_rig 0.2.0
    │       │   ├── simulator 0.2.0
    │       │   ├── rest_api 0.2.0
    │       │   │   └── client 0.2.0
    │       │   └── beacon_node 0.2.11
    │       ├── lighthouse 0.2.11
    │       └── boot_node 0.2.11
    │           └── lighthouse 0.2.11
    └── beacon_chain 0.2.0
        ├── timer 0.2.0
        │   └── client 0.2.0
        ├── rest_types 0.2.0
        │   ├── validator_client 0.2.11
        │   │   ├── simulator 0.2.0
        │   │   ├── node_test_rig 0.2.0
        │   │   └── lighthouse 0.2.11
        │   ├── rest_api 0.2.0
        │   ├── remote_beacon_node 0.2.0
        │   │   ├── validator_client 0.2.11
        │   │   ├── rest_api 0.2.0
        │   │   └── node_test_rig 0.2.0
        │   └── network 0.2.0
        │       ├── rest_api 0.2.0
        │       └── client 0.2.0
        ├── rest_api 0.2.0
        ├── network 0.2.0
        ├── fork_choice 0.1.0
        │   └── beacon_chain 0.2.0
        ├── client 0.2.0
        └── beacon_node 0.2.11

I have suppressed this error since there is not safe upgrade available (according to the above message). Once ws cuts a new release, we should update ASAP.

Interestingly, #1434 will likely remove this dep.

bors bot pushed a commit that referenced this issue Sep 26, 2020
## Issue Addressed

Resolves #1651

## Description

This supercedes #1658. Great work was done by @pawanjay176, I just needed to make a change whilst he is away.

See #1658 for a description, prior reviews and approval by @michaelsproul.

## Additional info

Ignores a rustsec advisory. This is tracked in #1669.


Co-authored-by: pawan <pawandhananjay@gmail.com>
bors bot pushed a commit that referenced this issue Sep 27, 2020
## Issue Addressed

NA

## Proposed Changes

There are four new conditions introduced in v0.12.3:

 1. _[REJECT]_ The attestation's epoch matches its target -- i.e. `attestation.data.target.epoch ==
  compute_epoch_at_slot(attestation.data.slot)`
1. _[REJECT]_ The attestation's target block is an ancestor of the block named in the LMD vote -- i.e.
  `get_ancestor(store, attestation.data.beacon_block_root, compute_start_slot_at_epoch(attestation.data.target.epoch)) == attestation.data.target.root`
1. _[REJECT]_ The committee index is within the expected range -- i.e. `data.index < get_committee_count_per_slot(state, data.target.epoch)`.
1. _[REJECT]_ The number of aggregation bits matches the committee size -- i.e.
  `len(attestation.aggregation_bits) == len(get_beacon_committee(state, data.slot, data.index))`.

This PR implements new logic to suit (1) and (2). Tests are added for (3) and (4), although they were already implicitly enforced.

## Additional Info

- There's a bit of edge-case with target root verification that I raised here: ethereum/consensus-specs#2001 (comment)
- I've had to add an `--ignore` to `cargo audit` to get CI to pass. See #1669
@paulhauner
Copy link
Member Author

I'm pushing this back to A1 since it's for the websocket server which is no longer documented and planned for deprecation.

@paulhauner paulhauner added A1 and removed A0 labels Oct 3, 2020
@paulhauner paulhauner added A0 and removed A1 labels Nov 8, 2020
@paulhauner
Copy link
Member Author

This should disappear when @realbigsean removes the websocket server.

@paulhauner paulhauner added A1 and removed A0 labels Nov 16, 2020
@paulhauner
Copy link
Member Author

PR to remove webserver is here: #1920

@paulhauner
Copy link
Member Author

#1920 has removed this dep, but the ignore still exists in the Makefile:

https://github.com/realbigsean/lighthouse/blob/6574288a4d586aa899f31fc47b71868030afeb8a/Makefile#L143

To close this issue, all we need to do is wait for #1920 to merge, make a PR that removes the ignore in the previous line then wait for CI to pass.

@paulhauner paulhauner added the low-hanging-fruit Easy to resolve, get it before someone else does! label Dec 4, 2020
bors bot pushed a commit that referenced this issue Dec 4, 2020
## Issue Addressed

Resolves #1434 (this is the last major feature in the standard spec. There are only a couple of places we may be off-spec due to recent spec changes or ongoing discussion)
Partly addresses #1669
 
## Proposed Changes

- remove the websocket server
- remove the `TeeEventHandler` and `NullEventHandler` 
- add server sent events according to the eth2 API spec

## Additional Info

This is according to the currently unmerged PR here: ethereum/beacon-APIs#117


Co-authored-by: realbigsean <seananderson33@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A1 infra-ci low-hanging-fruit Easy to resolve, get it before someone else does! security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant