topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note

pull/6727/head
kalvinparker 3 months ago
parent
22ff36919c
commit
f16723c8d8
3 changed files with 76 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      SECURITY-AUDIT-2025-11-09.md
  2. 11
      deny.toml
  3. 56
      issues/TRACK-2025-11-09-RSA-PASTE.md

10
SECURITY-AUDIT-2025-11-09.md
View File

@ -34,6 +34,16 @@ Recommended next steps
- Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy.
- For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates.
Temporary exceptions
--------------------
To unblock CI while we triage and remediate, this PR (branch `remediations/audit-2025-11-09`) adds temporary, timeboxed exceptions for two advisories in `deny.toml`:
- RUSTSEC-2023-0071 — `rsa = 0.9.8` (transitive via `openidconnect`). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue.
- RUSTSEC-2024-0436 — `paste = 1.0.15` (transitive via `rmp`/`rmpv`). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement.
These exceptions are intended to be short-lived. See `issues/TRACK-2025-11-09-RSA-PASTE.md` for the remediation plan, owner, and ETA. The exceptions include an `expires` date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published.
4. CI integration
- The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings).

11
deny.toml
View File

@ -7,4 +7,13 @@
[licenses]
# Allowlist of licenses. Edit to match project policy.
allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
exceptions = []
## Temporary exceptions added by remediations/audit-2025-11-09
## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
exceptions = [
# Allow RUSTSEC-2023-0071 (rsa 0.9.8) transitively required today via openidconnect
# Rationale: no safe published upgrade available at audit date; risk acknowledged and tracked.
{ crate = "rsa", version = "=0.9.8", reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" },
# Allow RUSTSEC-2024-0436 (paste 1.0.15) transitively required today via rmp/rmpv
# Rationale: crate marked unmaintained; temporary exception while replacement plan is executed.
{ crate = "paste", version = "=1.0.15", reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" }
]

56
issues/TRACK-2025-11-09-RSA-PASTE.md
View File

@ -0,0 +1,56 @@
# TRACK-2025-11-09: Remediate transitive `rsa` and `paste` advisories
Status: Open
Owner: @maintainers (please assign)
Created: 2025-11-09
Summary
-------
This tracking issue records the planned remediation work for two transitive advisories found during the local audit on 2025-11-09:
- RUSTSEC-2023-0071 — `rsa = 0.9.8` (Marvin Attack). No safe published upgrade was available at audit time. Transitive path: `openidconnect` -> `...` -> `rsa`.
- RUSTSEC-2024-0436 — `paste = 1.0.15` (unmaintained). Transitive path: `rmp`/`rmpv` -> `paste`.
Goals
-----
1. Remove or replace the transitive dependency on `rsa` so the project does not depend on the vulnerable crate.
2. Replace or remove `paste` usage by migrating to a maintained alternative (e.g., `pastey`) or removing the transitive dependency chain.
3. Remove the temporary exceptions from `deny.toml` once remediation is complete.
Plan
----
1. Repro steps
- Run `cargo tree -i rsa` and `cargo tree -i paste` to show the reverse dependency chain and confirm the top-level crate(s) importing them.
2. Investigate fixes
- For `rsa`: identify whether `openidconnect` or another dependency directly pulls `rsa`. Check if newer published versions of the top-level crate avoid `rsa`.
- If no published version removes `rsa`, assess vendor or patch options:
- Replace `openidconnect` with an alternative OIDC client that avoids `rsa` (e.g., a crate using ring/openssl for crypto), or
- Submit a PR to upstream crates to adopt a constant-time implementation, or
- Vendor a small shim that provides the needed functionality using a vetted crypto library.
- For `paste`: check if `rmp`/`rmpv` can be upgraded to eliminate `paste` or if a maintained fork (e.g., `pastey`) can be used.
3. Tests and validation
- Add unit/integration tests for the replaced functionality (auth flows, message formats) to ensure behavior parity.
- Re-run audit tooling in CI and verify `cargo-deny` no longer reports the advisories.
4. Timeline and owner
- Target ETA: 2026-02-01 (three months). Adjust based on investigation findings.
- Owner: @maintainers or assign a specific engineer.
5. Rollback/compensating controls
- If remediation requires longer work, consider adding hardened monitoring, limiting feature usage, or using runtime mitigations where possible.
Links
-----
- Audit note: SECURITY-AUDIT-2025-11-09.md
- PR branch: remediations/audit-2025-11-09
Next steps
----------
- Assign an owner, run `cargo tree -i rsa` and `cargo tree -i paste`, and update this issue with findings and the chosen remediation path.
Write Preview
Loading…
Cancel
Save