Headline
CVE-2022-39397: fix(auth): Prevent secret exposure · tu6ge/oss-rs@e4553f7
aliyun-oss-client is a rust client for Alibaba Cloud OSS. Users of this library will be affected, the incoming secret will be disclosed unintentionally. This issue has been patched in version 0.8.1.
@@ -177,7 +177,7 @@ impl Default for VERB { }
#[cfg_attr(test, automock)] pub trait AuthToHeaderMap { pub(crate) trait AuthToHeaderMap { fn get_original_header(&self) -> HeaderMap; fn get_header_key(&self) -> OssResult<HeaderValue>; fn get_header_secret(&self) -> OssResult<HeaderValue>; @@ -255,7 +255,7 @@ impl AuthToOssHeader for Auth { }
/// 从 auth 中提取各个字段,用于计算签名的原始字符串 pub trait AuthSignString { pub(crate) trait AuthSignString { fn key(&self) -> Cow<’_, KeyId>; fn secret(&self) -> Cow<’_, KeySecret>; fn verb(&self) -> String; @@ -312,7 +312,7 @@ impl AuthGetHeader for Auth { } }
pub trait AuthHeader { pub(crate) trait AuthHeader { fn from_auth(auth: &impl AuthToHeaderMap) -> OssResult<Self> where Self: Sized; @@ -399,7 +399,8 @@ impl SignString { pub fn new(data: String, key: KeyId, secret: KeySecret) -> SignString { SignString { data, key, secret } } pub fn from_auth(
pub(crate) fn from_auth( auth: &impl AuthSignString, header: impl HeaderToSign, ) -> OssResult<SignString> { @@ -427,11 +428,13 @@ impl SignString { self.data.clone() }
pub fn key_string(&self) -> String { #[cfg(test)] pub(crate) fn key_string(&self) -> String { self.key.to_string() }
pub fn secret_string(&self) -> String { #[cfg(test)] pub(crate) fn secret_string(&self) -> String { self.secret.to_string() }
@@ -499,9 +502,10 @@ impl AuthBuilder { /// /// ``` /// # use aliyun_oss_client::auth::AuthBuilder; /// let auth = AuthBuilder::default() /// use aliyun_oss_client::auth::AuthGetHeader; /// let headers = AuthBuilder::default() /// .key("bar".into()) /// .build(); /// .get_headers(); /// ``` pub fn key(mut self, key: KeyId) -> Self { self.auth.set_key(key); @@ -574,7 +578,8 @@ impl AuthBuilder { self }
pub fn build(self) -> Auth { #[allow(dead_code)] pub(crate) fn build(self) -> Auth { self.auth } }
Related news
### Impact Users of this library will be affected when using this library, the incoming secret will be disclosed unintentionally ### Patches This have already been solved. ### Workarounds No, It cannot be patched without upgrading ### References No ### For more information If you have any questions or comments about this advisory: * Email us at [email address](mailto:[email protected])