Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid Zero-sized types from deserialization #145

Merged
merged 4 commits into from
Jun 6, 2023
Merged

Forbid Zero-sized types from deserialization #145

merged 4 commits into from
Jun 6, 2023

Conversation

iho
Copy link
Contributor

@iho iho commented Jun 4, 2023
edited by frol
Loading

Resolves RUSTSEC-2023-0033
Resolves #19
Resolves #52

@iho iho requested a review from frol as a code owner June 4, 2023 16:16
@iho iho mentioned this pull request Jun 4, 2023
Closed
frol
frol requested changes Jun 5, 2023
View reviewed changes
Copy link
Collaborator

@frol frol left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iho Thanks for working on it! There are a couple of things:

  • Test needs to be fixed (CI failed due to unused import in the test file)
  • Let's also fail on the serialization of Vec, so there is symmetry and developers could catch errors (unfortunately, it seems there is no way to make the implementation generic over Vec in Rust, so we cannot catch it at compile time) - add/update a test for it as well

frol
frol approved these changes Jun 6, 2023
View reviewed changes
Copy link
Collaborator

@frol frol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iho Thanks for the PR!

borsh/src/ser/mod.rs Outdated Show resolved Hide resolved
borsh/src/de/mod.rs Outdated Show resolved Hide resolved
borsh/tests/test_zero_size.rs Show resolved Hide resolved
@frol frol merged commit e880d87 into near:master Jun 6, 2023
@frol frol mentioned this pull request Jun 6, 2023
Merged
@maxammann
Copy link

Great! As soon as a release is published I will make sure that the RustSec advisory is updated.

@paolobarbolini
Copy link
Contributor

Looks like a release was made just a few days before this getting merged. Are we going to get a new release soon?

@iho
Copy link
Contributor Author

iho commented Aug 7, 2023

@paolobarbolini I guess we will make release this week when I finish my PR and another one(pretty small).

@frol frol mentioned this pull request Aug 9, 2023
Closed
mina86 pushed a commit to mina86/borsh-rs that referenced this pull request Aug 23, 2024
@iho @mina86
feat: Forbid Vectors of Zero-sized types from de-/serialization to re…
4027a00 
…solve the RUSTSEC-2023-0033 (near#145)
mina86 pushed a commit to mina86/borsh-rs that referenced this pull request Aug 23, 2024
@iho @mina86
feat: Forbid Vectors of Zero-sized types from de-/serialization to re…
7ca2857 
…solve the RUSTSEC-2023-0033 (near#145)

This is a backport of commit e880d87.
@dj8yfo dj8yfo mentioned this pull request Sep 23, 2024
Merged
frol pushed a commit that referenced this pull request Sep 23, 2024
@dj8yfo @iho @mina86
chore: prepare 0.10.4 with backported fix (#310)
27843bc 
* feat: Forbid Vectors of Zero-sized types from de-/serialization to resolve the RUSTSEC-2023-0033 (#145)

This is a backport of commit e880d87.

* chore: update MSRV and Cargo workspace syntax

Set MSRV to 1.66 and update Cargo workspace syntax together with
versions in members.  While at it restrict serde dependency in two
non-member crates so that it compiles with Rust 1.66.

* chore: additional prepare for release

---------

Co-authored-by: iho <[email protected]>
Co-authored-by: Michal Nazarewicz <[email protected]>
Co-authored-by: dj8yf0μl <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frol frol frol approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@iho @maxammann @paolobarbolini @frol