From 025b143d88e8db7c9a589abec269a20ea14475a4 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 18 Feb 2022 13:18:40 +0300 Subject: [PATCH] Replace usage of chrono with time crate The time crate is the underlying crate which chrono uses for its various operations. Unfortunately, chrono is unmaintained and older versions of the time crate have security vulnerabilites[0] which are unfixed in chrono[1]. The medallion code does not use any chrono-specific features and all uses of it could be trivially replaced with the underlying time structs. Note that this change adds calls to `expect`. Where these calls are made, the previous chrono functions also panicked internally if out-of-range values were passed. We noticed this issue while doing a similar refactoring in a program that also uses medallion[2]. [0]: https://rustsec.org/advisories/RUSTSEC-2020-0071.html [1]: https://rustsec.org/advisories/RUSTSEC-2020-0159.html [2]: https://cl.tvl.fyi/c/depot/+/5311 --- Cargo.toml | 2 +- src/lib.rs | 18 +++++++++--------- src/payload.rs | 26 +++++++++++--------------- 3 files changed, 21 insertions(+), 25 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 64552fc..00bb88d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,4 +21,4 @@ openssl = "~0.10.15" serde = { version = "^1.0.114", features = [ "derive" ] } serde_json = "^1.0.55" anyhow = "^1.0.31" -chrono = "~0.4.11" +time = "~0.3" diff --git a/src/lib.rs b/src/lib.rs index ac97b30..35278ba 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -95,8 +95,8 @@ mod tests { use super::Algorithm::{HS256, RS512}; use crate::{DefaultPayload, DefaultToken, Header, Payload, Token}; use anyhow::Result; - use chrono::{prelude::*, Duration}; use std::convert::TryInto; + use time::{Duration, OffsetDateTime}; #[test] pub fn raw_data() { @@ -111,11 +111,11 @@ mod tests { #[test] pub fn roundtrip_hmac() { - let now = Utc::now(); + let now = OffsetDateTime::now_utc(); let header: Header<()> = Header::default(); let payload = DefaultPayload { - nbf: Some(now.timestamp().try_into().unwrap()), - exp: Some((now + Duration::minutes(5)).timestamp().try_into().unwrap()), + nbf: Some(now.unix_timestamp().try_into().unwrap()), + exp: Some((now + Duration::minutes(5)).unix_timestamp().try_into().unwrap()), ..DefaultPayload::default() }; let token = Token::new(header, payload); @@ -129,7 +129,7 @@ mod tests { #[test] pub fn roundtrip_expired() -> Result<()> { - let now = Utc::now(); + let now = OffsetDateTime::now_utc(); let token = create_for_range(now, now + Duration::minutes(-5))?; let key = b"secret"; let raw = token.sign(key)?; @@ -142,7 +142,7 @@ mod tests { #[test] pub fn roundtrip_not_yet_valid() -> Result<()> { - let now = Utc::now(); + let now = OffsetDateTime::now_utc(); let token = create_for_range(now + Duration::minutes(5), now + Duration::minutes(10))?; let key = b"secret"; let raw = token.sign(key)?; @@ -175,11 +175,11 @@ mod tests { .unwrap()); } - fn create_for_range(nbf: DateTime, exp: DateTime) -> Result { + fn create_for_range(nbf: OffsetDateTime, exp: OffsetDateTime) -> Result { let header: Header = Header::default(); let payload = Payload { - nbf: Some(nbf.timestamp().try_into()?), - exp: Some(exp.timestamp().try_into()?), + nbf: Some(nbf.unix_timestamp().try_into()?), + exp: Some(exp.unix_timestamp().try_into()?), ..Payload::default() }; Ok(Token::new(header, payload)) diff --git a/src/payload.rs b/src/payload.rs index 2d6cd83..7befab5 100644 --- a/src/payload.rs +++ b/src/payload.rs @@ -1,9 +1,9 @@ use super::Result; use anyhow::format_err; use base64::{decode_config, encode_config, URL_SAFE_NO_PAD}; -use chrono::{DateTime, NaiveDateTime, Utc}; use serde::{de::DeserializeOwned, Deserialize, Serialize}; use serde_json::value::Value; +use time::{OffsetDateTime}; /// A default claim set, including the standard, or registered, claims and the ability to specify /// your own as custom claims. @@ -81,23 +81,19 @@ impl Payload { } pub fn verify(&self) -> bool { - let now = Utc::now(); + let now = OffsetDateTime::now_utc(); let nbf_verified = match self.nbf { Some(nbf_sec) => { - let nbf = DateTime::::from_utc( - NaiveDateTime::from_timestamp(nbf_sec as i64, 0), - Utc, - ); + let nbf = OffsetDateTime::from_unix_timestamp(nbf_sec as i64) + .expect("nbf timestamp out of range"); nbf < now } None => true, }; let exp_verified = match self.exp { Some(exp_sec) => { - let exp = DateTime::::from_utc( - NaiveDateTime::from_timestamp(exp_sec as i64, 0), - Utc, - ); + let exp = OffsetDateTime::from_unix_timestamp(exp_sec as i64) + .expect("exp timestamp out of range"); now < exp } None => true, @@ -109,9 +105,9 @@ impl Payload { #[cfg(test)] mod tests { use super::{DefaultPayload, Payload}; - use chrono::{prelude::*, Duration}; use serde::{Deserialize, Serialize}; use std::default::Default; + use time::{Duration, OffsetDateTime}; #[derive(Default, Debug, Serialize, Deserialize, PartialEq)] struct CustomClaims { @@ -211,7 +207,7 @@ mod tests { } fn create_with_nbf(offset: i64) -> DefaultPayload { - let nbf = (Utc::now() - Duration::minutes(offset)).timestamp(); + let nbf = (OffsetDateTime::now_utc() - Duration::minutes(offset)).unix_timestamp(); DefaultPayload { nbf: Some(nbf as u64), ..Default::default() @@ -219,7 +215,7 @@ mod tests { } fn create_with_exp(offset: i64) -> DefaultPayload { - let exp = (Utc::now() + Duration::minutes(offset)).timestamp(); + let exp = (OffsetDateTime::now_utc() + Duration::minutes(offset)).unix_timestamp(); DefaultPayload { exp: Some(exp as u64), ..Default::default() @@ -227,8 +223,8 @@ mod tests { } fn create_with_nbf_exp(nbf_offset: i64, exp_offset: i64) -> DefaultPayload { - let nbf = (Utc::now() - Duration::minutes(nbf_offset)).timestamp(); - let exp = (Utc::now() + Duration::minutes(exp_offset)).timestamp(); + let nbf = (OffsetDateTime::now_utc() - Duration::minutes(nbf_offset)).unix_timestamp(); + let exp = (OffsetDateTime::now_utc() + Duration::minutes(exp_offset)).unix_timestamp(); DefaultPayload { nbf: Some(nbf as u64), exp: Some(exp as u64),