Skip to content

Commit 07d584a

Browse files
dviejokfsdviejokfs
committed
fix(security): resolve dependency vulns and fix container exec tenant isolation
Dependency updates: - Bump tar 0.4 → 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068: symlink follow + PAX header) - Update aws-lc-rs → 1.16.2 / aws-lc-sys → 0.39.1 (RUSTSEC-2026-0044: X.509 bypass) - Update rustls-webpki → 0.103.10 (RUSTSEC-2026-0049: CRL matching) - Update rkyv → 0.7.46 (RUSTSEC-2026-0001: undefined behavior on OOM) - Update rustls → 0.23.37 Code fixes: - container_exec: validate container belongs to project/environment before exec, preventing cross-tenant container access (HIGH severity) - FilesystemStorage: add path traversal protection to resolve_path(), rejecting keys with ".." components (MEDIUM severity) Remaining unfixable vulns documented in Cargo.toml comments.
1 parent 4983a00 commit 07d584a

File tree

6 files changed

+122
-55
lines changed

6 files changed

+122
-55
lines changed

Cargo.lock

Lines changed: 40 additions & 40 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -240,7 +240,7 @@ regex = "1.11"
240240
# Compression & Archive
241241
# ============================================================================
242242
flate2 = "1.0"
243-
tar = "0.4"
243+
tar = "0.4.45"
244244
zip = "2.2"
245245
zstd = "0.13"
246246

@@ -318,6 +318,15 @@ opt-level = 2 # Optimize dependencies
318318
# - atty 0.2.14: RESOLVED in Pingora 0.7.0 (upgraded to clap 4.5)
319319
# - idna 0.2.3: RESOLVED by upgrading check-if-email-exists 0.9 → 0.11
320320
# - lru 0.12.5: RESOLVED by upgrading aws-sdk-s3 (new version dropped lru 0.12)
321+
# - aws-lc-sys 0.38.0 (RUSTSEC-2026-0044, RUSTSEC-2026-0048): RESOLVED by cargo update aws-lc-rs → 1.16.2
322+
# - rustls-webpki 0.103.7 (RUSTSEC-2026-0049): RESOLVED by cargo update rustls-webpki → 0.103.10
323+
# - tar 0.4.44 (RUSTSEC-2026-0067, RUSTSEC-2026-0068): RESOLVED by bumping tar to 0.4.45
324+
# - rkyv 0.7.45 (RUSTSEC-2026-0001): RESOLVED by cargo update rkyv → 0.7.46
325+
#
326+
# 5. RUSTSEC-2023-0071: rsa 0.9.10 (MEDIUM severity)
327+
# - Title: Marvin Attack: potential key recovery through timing sidechannels
328+
# - Status: No fixed upgrade available upstream
329+
# - Mitigation: RSA used for SSH key operations only, not exposed to network timing attacks
321330
#
322331
# All remaining items are transitive dependencies from third-party crates that we
323332
# cannot directly patch without forking. Monitoring upstream for updates.

0 commit comments

Comments
 (0)