Skip to content

Commit

Permalink
Silence RUSTSEC-2024-0421
Browse files Browse the repository at this point in the history
  • Loading branch information
MarkusPettersson98 committed Dec 9, 2024
1 parent 3232f1b commit 531610d
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 0 deletions.
6 changes: 6 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ yanked = "deny"
ignore = [
# Ignored audit issues. This list should be kept short, and effort should be
# put into removing items from the list.

# RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
# `hickory-proto 0.24.1` uses `idna 0.4`
# `url 2.5` uses `idna 0.5.0`
# `shadowsocks 1.20.3` uses `url 2.5`
"RUSTSEC-2024-0421",
]


Expand Down
13 changes: 13 additions & 0 deletions osv-scanner.toml
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,16 @@
# effectiveUntil = 2024-11-02
# reason = "The XML payload is generated by Apple tooling which we trust"
# ```

# idna accepts Punycode labels that do not produce any non-ASCII when decoded
[[IgnoredVulns]]
id = "RUSTSEC-2024-0421"
ignoreUntil = 2025-03-09
reason = """
There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
- https://github.com/hickory-dns/hickory-dns/issues/2206
- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
"""
5 changes: 5 additions & 0 deletions test/deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ ignore = [
# RUSTSEC-2024-0384 - `instant` is unmaintained.
# `ssh2 0.9.4` uses `instant`.
"RUSTSEC-2024-0384",
# RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
# `hickory-proto 0.24.1` uses `idna 0.4`
# `url 2.5` uses `idna 0.5.0`
# `shadowsocks 1.20.3` uses `url 2.5`
"RUSTSEC-2024-0421",
]


Expand Down
13 changes: 13 additions & 0 deletions test/osv-scanner.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl
version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when
https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved.
"""

# idna accepts Punycode labels that do not produce any non-ASCII when decoded
[[IgnoredVulns]]
id = "RUSTSEC-2024-0421"
ignoreUntil = 2025-03-09
reason = """
There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
- https://github.com/hickory-dns/hickory-dns/issues/2206
- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
"""

0 comments on commit 531610d

Please sign in to comment.