fix security vulnerability RUSTSEC-2024-0421 (#138)

[RUSTSEC-2024-0421][] reports a vulnerability in the crate idna which is a dependency of a dependency of the mongodb rust driver. Specifically it interprets non-ASCII characters in domain names. [RUSTSEC-2024-0421]: https://rustsec.org/advisories/RUSTSEC-2024-0421 This change updates `Cargo.lock` to update two direct dependencies of the mongodb driver, hickory-proto and hickory-resolver from v0.24.1 to v0.24.2. That in turn updates the dependency on idna from v0.4 to v1.0.0 which is not affected by RUSTSEC-2024-0421. There are also a couple of small documentation updates here that are not relevant to the security fix, but that I want to get in. Those changes switch from a deprecated form of the `nix flake` command to the newer syntax. MongoDB has [an upstream fix](mongodb/mongo-rust-driver@31ae5a2) for the driver which makes the same change: bumping the hickory dependencies to v0.24.2. That fix was made this morning, and is not available in the latest driver release which as of this writing is v3.1.0. The vulnerability allows an attacker to craft a domain name that older versions of idna interpret as identical to a legitimate domain name, but that is in fact a different name. I think this does not impact the MongoDB connector since it uses the affected library exclusively to connect to MongoDB databases, and database URLs are supplied by trusted administrators. But best to get the fix anyway.
hasura · Dec 10, 2024 · 25c870d · 25c870d
1 parent b95da18
commit 25c870d
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,24 @@ This changelog documents the changes between release versions.
 
 ## [Unreleased]
 
+### Fixed
+
+- Upgrade dependencies to get fix for RUSTSEC-2024-0421, a vulnerability in domain name comparisons ([#138](https://github.com/hasura/ndc-mongodb/pull/138))
+
+#### Fix for RUSTSEC-2024-0421 / CVE-2024-12224
+
+Updates dependencies to upgrade the library, idna, to get a version that is not
+affected by a vulnerability reported in [RUSTSEC-2024-0421][].
+
+[RUSTSEC-2024-0421]: https://rustsec.org/advisories/RUSTSEC-2024-0421
+
+The vulnerability allows an attacker to craft a domain name that older versions
+of idna interpret as identical to a legitimate domain name, but that is in fact
+a different name. We do not expect that this impacts the MongoDB connector since
+it uses the affected library exclusively to connect to MongoDB databases, and
+database URLs are supplied by trusted administrators. But better to be safe than
+sorry.
+
 ## [1.5.0] - 2024-12-05
 
 ### Added

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docs/development.md b/docs/development.md
@@ -305,7 +305,7 @@ It's important to keep the GraphQL Engine version updated to make sure that the
 connector is working with the latest engine version. To update run,
 
 ```sh
-$ nix flake lock --update-input graphql-engine-source
+$ nix flake update graphql-engine-source
 ```
 
 Then commit the changes to `flake.lock` to version control.
@@ -332,7 +332,7 @@ any order):
 To update `rust-overlay` run,
 
 ```sh
-$ nix flake lock --update-input rust-overlay
+$ nix flake update rust-overlay
 ```
 
 If you are using direnv to automatically apply the nix dev environment note that

diff --git a/flake.nix b/flake.nix
@@ -46,7 +46,7 @@
     # If source changes aren't picked up automatically try:
     #
     # - committing changes to the local engine repo
-    # - running `nix flake lock --update-input graphql-engine-source` in this repo
+    # - running `nix flake update graphql-engine-source` in this repo
     # - arion up -d engine
     #
     graphql-engine-source = {