Security Sweep
Closed this issue · 2 comments
import-pandas-as-numpy commented
- Sanity check client cannot operate on endpoints with bad/revoked creds. (I did this through CURL but didn't check revoked.)
- Check directory traversal from a passed in package archive.
- Check decompression bomb (zip/gzip) from a passed in package archive.
- Quick check to make sure we're not missing anything glaring CVE wise on stdlib or our deps. CVE's tentatively look good (last one was in 2022 against base Rust-lang)
I'll review this for anything else that doesn't pass a simple smell test, but hanging on the Rustaceans to give me the warm fuzzies.
Robin5605 commented
- I've confirmed that clients cannot operate with expired tokens
- The Rust crate we use for zipfiles has protections in place for directory traversal attacks (either way, the client never interacts with the file system so I don't suspect this is a problem regardless)
- Unable to test compression bombs, since it's difficult to find any online for testing purposes that aren't password protected
- We should probably get https://github.com/vipyrsec/dragonfly-client-rs/security/dependabot/1 fixed
Robin5605 commented
https://github.com/vipyrsec/dragonfly-client-rs/security/dependabot/1 has been fixed in #54