From 866769c054cfe1af5d595f06405eee9495afb302 Mon Sep 17 00:00:00 2001 From: aviac Date: Sun, 9 Nov 2025 11:23:32 +0100 Subject: [PATCH] chore: replace serde-yml with serde-saphyr - serde-yml has an un-addressed [security issue][sec-issue] - [saphyr][saphyr] is a pretty recent and active crate that deals with YAML parsing - based on that, someone recently created [serde-saphyr][serde-saphyr] --- The change was pretty straightforward and mostly "just a search and replace". The new crate has it's `Error` type split into serialization and derserialization errors. Hence I created one Continuwuity-Error variant for each instead of just having a single `Yaml` variant. This was already done previously with the `Toml` errors so I thought this would be rather acceptable. [sec-issue]: https://github.com/advisories/GHSA-gfxp-f68g-8x78 [saphyr]: https://github.com/saphyr-rs/saphyr [serde-saphyr]: https://github.com/saphyr-rs/saphyr/issues/66#issuecomment-3353212289 --- Cargo.lock | 127 +++++++++++++++++++++---------- Cargo.toml | 4 +- src/admin/Cargo.toml | 2 +- src/admin/appservice/commands.rs | 4 +- src/core/Cargo.toml | 2 +- src/core/error/mod.rs | 4 +- src/service/Cargo.toml | 2 +- src/service/appservice/mod.rs | 2 +- 8 files changed, 96 insertions(+), 51 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5b379b5c..f9c1f1c9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -141,6 +141,12 @@ dependencies = [ "password-hash", ] +[[package]] +name = "arraydeque" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d902e3d592a523def97af8f317b08ce16b7ab854c1985a0c671e6f15cebc236" + [[package]] name = "arrayvec" version = "0.7.6" @@ -719,7 +725,7 @@ version = "0.15.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d067ad48b8650848b989a59a86c6c36a995d02d2bf778d45c3c5d57bc2718f02" dependencies = [ - "smallvec", + "smallvec 1.15.1", "target-lexicon", ] @@ -920,8 +926,8 @@ dependencies = [ "futures", "log", "ruma", + "serde-saphyr", "serde_json", - "serde_yml", "tokio", "tracing", "tracing-subscriber", @@ -1010,11 +1016,11 @@ dependencies = [ "ruma", "sanitize-filename", "serde", + "serde-saphyr", "serde_json", "serde_regex", - "serde_yml", "smallstr", - "smallvec", + "smallvec 1.15.1", "thiserror 2.0.17", "tikv-jemalloc-ctl", "tikv-jemalloc-sys", @@ -1123,8 +1129,8 @@ dependencies = [ "rustyline-async", "sd-notify", "serde", + "serde-saphyr", "serde_json", - "serde_yml", "sha2", "termimad", "tokio", @@ -1691,7 +1697,7 @@ dependencies = [ "lebe", "miniz_oxide", "rayon-core", - "smallvec", + "smallvec 1.15.1", "zune-inflate", ] @@ -1784,6 +1790,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + [[package]] name = "form_urlencoded" version = "1.2.2" @@ -2019,12 +2031,30 @@ version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash", +] + [[package]] name = "hashbrown" version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d" +[[package]] +name = "hashlink" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1" +dependencies = [ + "hashbrown 0.15.5", +] + [[package]] name = "hdrhistogram" version = "7.5.4" @@ -2122,7 +2152,7 @@ dependencies = [ "rand 0.9.2", "resolv-conf", "serde", - "smallvec", + "smallvec 1.15.1", "thiserror 2.0.17", "tokio", "tracing", @@ -2241,7 +2271,7 @@ dependencies = [ "itoa", "pin-project-lite", "pin-utils", - "smallvec", + "smallvec 1.15.1", "tokio", "want", ] @@ -2338,7 +2368,7 @@ dependencies = [ "icu_normalizer_data", "icu_properties", "icu_provider", - "smallvec", + "smallvec 1.15.1", "zerovec", ] @@ -2394,7 +2424,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" dependencies = [ "idna_adapter", - "smallvec", + "smallvec 1.15.1", "utf8_iter", ] @@ -2713,16 +2743,6 @@ dependencies = [ "windows-link 0.2.1", ] -[[package]] -name = "libyml" -version = "0.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3302702afa434ffa30847a83305f0a69d6abd74293b6554c18ec85c7ef30c980" -dependencies = [ - "anyhow", - "version_check", -] - [[package]] name = "libz-sys" version = "1.1.22" @@ -2972,7 +2992,7 @@ dependencies = [ "parking_lot", "portable-atomic", "rustc_version", - "smallvec", + "smallvec 1.15.1", "tagptr", "uuid", ] @@ -3005,6 +3025,12 @@ dependencies = [ "libc", ] +[[package]] +name = "nohash-hasher" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451" + [[package]] name = "nom" version = "7.1.3" @@ -3305,7 +3331,7 @@ dependencies = [ "libc", "petgraph", "redox_syscall", - "smallvec", + "smallvec 1.15.1", "windows-link 0.2.1", ] @@ -4074,7 +4100,7 @@ dependencies = [ "serde", "serde_html_form", "serde_json", - "smallvec", + "smallvec 1.15.1", "thiserror 2.0.17", "time", "tracing", @@ -4101,7 +4127,7 @@ dependencies = [ "ruma-macros", "serde", "serde_json", - "smallvec", + "smallvec 1.15.1", "thiserror 2.0.17", "tracing", "url", @@ -4357,6 +4383,16 @@ dependencies = [ "regex", ] +[[package]] +name = "saphyr-parser" +version = "0.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fb771b59f6b1985d1406325ec28f97cfb14256abcec4fdfb37b36a1766d6af7" +dependencies = [ + "arraydeque", + "hashlink", +] + [[package]] name = "schannel" version = "0.1.28" @@ -4553,6 +4589,22 @@ dependencies = [ "serde_derive", ] +[[package]] +name = "serde-saphyr" +version = "0.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fd76af9505b2498740576f95f60b3b4e2c469b5b677a8d2dd1d2da18b58193de" +dependencies = [ + "base64 0.22.1", + "nohash-hasher", + "num-traits", + "ryu", + "saphyr-parser", + "serde", + "serde_json", + "smallvec 2.0.0-alpha.11", +] + [[package]] name = "serde_core" version = "1.0.228" @@ -4650,21 +4702,6 @@ dependencies = [ "serde", ] -[[package]] -name = "serde_yml" -version = "0.0.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59e2dd588bf1597a252c3b920e0143eb99b0f76e4e082f4c92ce34fbc9e71ddd" -dependencies = [ - "indexmap 2.11.4", - "itoa", - "libyml", - "memchr", - "ryu", - "serde", - "version_check", -] - [[package]] name = "sha1" version = "0.10.6" @@ -4775,7 +4812,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "862077b1e764f04c251fe82a2ef562fd78d7cadaeb072ca7c2bcaf7217b1ff3b" dependencies = [ "serde", - "smallvec", + "smallvec 1.15.1", ] [[package]] @@ -4787,6 +4824,12 @@ dependencies = [ "serde", ] +[[package]] +name = "smallvec" +version = "2.0.0-alpha.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87b96efa4bd6bdd2ff0c6615cc36fc4970cbae63cfd46ddff5cee35a1b4df570" + [[package]] name = "socket2" version = "0.5.10" @@ -5474,7 +5517,7 @@ dependencies = [ "once_cell", "opentelemetry", "opentelemetry_sdk", - "smallvec", + "smallvec 1.15.1", "tracing", "tracing-core", "tracing-log", @@ -5492,7 +5535,7 @@ dependencies = [ "once_cell", "regex", "sharded-slab", - "smallvec", + "smallvec 1.15.1", "thread_local", "tracing", "tracing-core", diff --git a/Cargo.toml b/Cargo.toml index e1a22e87..41cdbdd6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -166,8 +166,8 @@ default-features = false features = ["raw_value"] # Used for appservice registration files -[workspace.dependencies.serde_yml] -version = "0.0.12" +[workspace.dependencies.serde-saphyr] +version = "0.0.7" # Used to load forbidden room/user regex from config [workspace.dependencies.serde_regex] diff --git a/src/admin/Cargo.toml b/src/admin/Cargo.toml index 243a8567..907dd5d1 100644 --- a/src/admin/Cargo.toml +++ b/src/admin/Cargo.toml @@ -85,7 +85,7 @@ futures.workspace = true log.workspace = true ruma.workspace = true serde_json.workspace = true -serde_yml.workspace = true +serde-saphyr.workspace = true tokio.workspace = true tracing-subscriber.workspace = true tracing.workspace = true diff --git a/src/admin/appservice/commands.rs b/src/admin/appservice/commands.rs index bf76584b..2c1bb7c1 100644 --- a/src/admin/appservice/commands.rs +++ b/src/admin/appservice/commands.rs @@ -16,7 +16,7 @@ pub(super) async fn register(&self) -> Result { let range = 1..checked!(body_len - 1)?; let appservice_config_body = body[range].join("\n"); - let parsed_config = serde_yml::from_str(&appservice_config_body); + let parsed_config = serde_saphyr::from_str(&appservice_config_body); match parsed_config { | Err(e) => return Err!("Could not parse appservice config as YAML: {e}"), | Ok(registration) => match self @@ -57,7 +57,7 @@ pub(super) async fn show_appservice_config(&self, appservice_identifier: String) { | None => return Err!("Appservice does not exist."), | Some(config) => { - let config_str = serde_yml::to_string(&config)?; + let config_str = serde_saphyr::to_string(&config)?; write!(self, "Config for {appservice_identifier}:\n\n```yaml\n{config_str}\n```") }, } diff --git a/src/core/Cargo.toml b/src/core/Cargo.toml index da35cebc..900b2345 100644 --- a/src/core/Cargo.toml +++ b/src/core/Cargo.toml @@ -92,7 +92,7 @@ ruma.workspace = true sanitize-filename.workspace = true serde_json.workspace = true serde_regex.workspace = true -serde_yml.workspace = true +serde-saphyr.workspace = true serde.workspace = true smallvec.workspace = true smallstr.workspace = true diff --git a/src/core/error/mod.rs b/src/core/error/mod.rs index f1ef31c1..03967e62 100644 --- a/src/core/error/mod.rs +++ b/src/core/error/mod.rs @@ -83,7 +83,9 @@ pub enum Error { #[error(transparent)] TypedHeader(#[from] axum_extra::typed_header::TypedHeaderRejection), #[error(transparent)] - Yaml(#[from] serde_yml::Error), + YamlDe(#[from] serde_saphyr::Error), + #[error(transparent)] + YamlSer(#[from] serde_saphyr::ser_error::Error), // ruma/conduwuit #[error("Arithmetic operation failed: {0}")] diff --git a/src/service/Cargo.toml b/src/service/Cargo.toml index 063b4582..878190a3 100644 --- a/src/service/Cargo.toml +++ b/src/service/Cargo.toml @@ -108,7 +108,7 @@ rustyline-async.workspace = true rustyline-async.optional = true serde_json.workspace = true serde.workspace = true -serde_yml.workspace = true +serde-saphyr.workspace = true sha2.workspace = true termimad.workspace = true termimad.optional = true diff --git a/src/service/appservice/mod.rs b/src/service/appservice/mod.rs index c4c4475a..2e992f28 100644 --- a/src/service/appservice/mod.rs +++ b/src/service/appservice/mod.rs @@ -271,7 +271,7 @@ impl Service { .id_appserviceregistrations .get(id) .await - .and_then(|ref bytes| serde_yml::from_slice(bytes).map_err(Into::into)) + .and_then(|ref bytes| serde_saphyr::from_slice(bytes).map_err(Into::into)) .map_err(|e| err!(Database("Invalid appservice {id:?} registration: {e:?}"))) }