dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-10 03:41:30 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note

Browse Source
This commit is contained in:
kalvinparker 2025-11-09 07:52:27 +00:00
parent 22ff36919c
commit f16723c8d8
3 changed files with 76 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SECURITY-AUDIT-2025-11-09.md
View File

@ -34,6 +34,16 @@ Recommended next steps
- Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy.
- For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates.
Temporary exceptions
--------------------
To unblock CI while we triage and remediate, this PR (branch `remediations/audit-2025-11-09`) adds temporary, timeboxed exceptions for two advisories in `deny.toml`:
- RUSTSEC-2023-0071 — `rsa = 0.9.8` (transitive via `openidconnect`). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue.
- RUSTSEC-2024-0436 — `paste = 1.0.15` (transitive via `rmp`/`rmpv`). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement.
These exceptions are intended to be short-lived. See `issues/TRACK-2025-11-09-RSA-PASTE.md` for the remediation plan, owner, and ETA. The exceptions include an `expires` date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published.
4. CI integration
- The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings).

11
deny.toml
View File

@ -7,4 +7,13 @@
[licenses]
# Allowlist of licenses. Edit to match project policy.
allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
exceptions = []
## Temporary exceptions added by remediations/audit-2025-11-09
## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
exceptions = [
# Allow RUSTSEC-2023-0071 (rsa 0.9.8) transitively required today via openidconnect
# Rationale: no safe published upgrade available at audit date; risk acknowledged and tracked.
{ crate = "rsa", version = "=0.9.8", reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" },
# Allow RUSTSEC-2024-0436 (paste 1.0.15) transitively required today via rmp/rmpv
# Rationale: crate marked unmaintained; temporary exception while replacement plan is executed.
{ crate = "paste", version = "=1.0.15", reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" }
]

56
issues/TRACK-2025-11-09-RSA-PASTE.md Normal file
View File

@ -0,0 +1,56 @@
# TRACK-2025-11-09: Remediate transitive `rsa` and `paste` advisories
Status: Open
Owner: @maintainers (please assign)
Created: 2025-11-09
Summary
-------
This tracking issue records the planned remediation work for two transitive advisories found during the local audit on 2025-11-09:
- RUSTSEC-2023-0071 — `rsa = 0.9.8` (Marvin Attack). No safe published upgrade was available at audit time. Transitive path: `openidconnect` -> `...` -> `rsa`.
- RUSTSEC-2024-0436 — `paste = 1.0.15` (unmaintained). Transitive path: `rmp`/`rmpv` -> `paste`.
Goals
-----
1. Remove or replace the transitive dependency on `rsa` so the project does not depend on the vulnerable crate.
2. Replace or remove `paste` usage by migrating to a maintained alternative (e.g., `pastey`) or removing the transitive dependency chain.
3. Remove the temporary exceptions from `deny.toml` once remediation is complete.
Plan
----
1. Repro steps
- Run `cargo tree -i rsa` and `cargo tree -i paste` to show the reverse dependency chain and confirm the top-level crate(s) importing them.
2. Investigate fixes
- For `rsa`: identify whether `openidconnect` or another dependency directly pulls `rsa`. Check if newer published versions of the top-level crate avoid `rsa`.
- If no published version removes `rsa`, assess vendor or patch options:
- Replace `openidconnect` with an alternative OIDC client that avoids `rsa` (e.g., a crate using ring/openssl for crypto), or
- Submit a PR to upstream crates to adopt a constant-time implementation, or
- Vendor a small shim that provides the needed functionality using a vetted crypto library.
- For `paste`: check if `rmp`/`rmpv` can be upgraded to eliminate `paste` or if a maintained fork (e.g., `pastey`) can be used.
3. Tests and validation
- Add unit/integration tests for the replaced functionality (auth flows, message formats) to ensure behavior parity.
- Re-run audit tooling in CI and verify `cargo-deny` no longer reports the advisories.
4. Timeline and owner
- Target ETA: 2026-02-01 (three months). Adjust based on investigation findings.
- Owner: @maintainers or assign a specific engineer.
5. Rollback/compensating controls
- If remediation requires longer work, consider adding hardened monitoring, limiting feature usage, or using runtime mitigations where possible.
Links
-----
- Audit note: SECURITY-AUDIT-2025-11-09.md
- PR branch: remediations/audit-2025-11-09
Next steps
----------
- Assign an owner, run `cargo tree -i rsa` and `cargo tree -i paste`, and update this issue with findings and the chosen remediation path.