diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 317e0e7..1b92b8d 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -21,3 +21,5 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - uses: EmbarkStudios/cargo-deny-action@v1 + with: + rust-version: "1.83.0" diff --git a/backend/Cargo.toml b/backend/Cargo.toml index 3b3ad41..4411978 100644 --- a/backend/Cargo.toml +++ b/backend/Cargo.toml @@ -12,7 +12,7 @@ path = "src/main.rs" name = "atrium" [dependencies] -anyhow = { default-features = false, version = "1.0.93" } +anyhow = { default-features = false, version = "1.0.94" } argon2 = { features = ["alloc", "password-hash"], default-features = false, version = "0.5.3" } async_zip = { features = ["deflate", "tokio"], default-features = false, version = "0.0.17" } async-stream = "0.3.6" @@ -22,12 +22,12 @@ axum-extra = { version = "0.9.6", features = ["cookie-private", "typed-header"], axum-server = "0.7.1" base64ct = { version = "1.6.0", features = ["alloc"] } chacha20poly1305 = { version = "0.10.1", features = ["stream"], default-features = false } -chrono = { default-features = false, version = "0.4.38" } +chrono = { default-features = false, version = "0.4.39" } filetime = "0.2.25" futures = { default-features = false, version = "0.3.31" } futures-util = { default-features = false, version = "0.3.31" } headers = "0.4.0" -http = "1.1.0" +http = "1.2.0" http-body-util = "0.1.2" hyper = { version = "1.5.1", default-features = false } hyper-util = { version = "0.1.10", features = ["client-legacy", "http1", "tokio"], default-features = false } @@ -42,24 +42,24 @@ percent-encoding = { default-features = false, version = "2.3.1" } quick-xml = "0.37.1" rand = { default-features = false, version = "0.8.5" } rcgen = { version = "0.13.1", default-features = false, optional = true } -rustls = { default-features = false, version = "0.23.18", features = ["ring"] } +rustls = { default-features = false, version = "0.23.19", features = ["ring"] } rustls-pki-types = { version = "1.10.0" } rustls-acme = { version = "0.12.1", features = ["axum", "ring"], default-features = false } serde = { version = "1.0.215", default-features = false } serde_json = { default-features = false, version = "1.0.133" } serde_yml = "0.0.12" sha2 = { default-features = false, version = "0.10.8" } -sysinfo = { default-features = false, version = "0.32.0", features = ["disk", "system"] } -time = { default-features = false, version = "0.3.36" } -tokio = { version = "1.41.1", features = ["full"], default-features = false } -tokio-stream = { version = "0.1.16", default-features = false } -tokio-util = { version = "0.7.12", default-features = false } +sysinfo = { default-features = false, version = "0.33.0", features = ["disk", "system"] } +time = { default-features = false, version = "0.3.37" } +tokio = { version = "1.42.0", features = ["full"], default-features = false } +tokio-stream = { version = "0.1.17", default-features = false } +tokio-util = { version = "0.7.13", default-features = false } tower = { default-features = false, version = "0.5.1", features = ["util"] } tower-http = { version = "0.6.2", features = ["fs"], default-features = false } tower-service = "0.3.3" -tracing = { default-features = false, version = "0.1.40" } +tracing = { default-features = false, version = "0.1.41" } tracing-appender = "0.2.3" -tracing-subscriber = { version = "0.3.18", features = ["ansi", "env-filter", "local-time"], default-features = false } +tracing-subscriber = { version = "0.3.19", features = ["ansi", "env-filter", "local-time"], default-features = false } trim-in-place = "0.1.7" urlencoding = "2.1.3" uuid = { version = "1.11.0", features = ["fast-rng", "v4"], default-features = false } @@ -69,7 +69,7 @@ default = ["self_signed"] self_signed = ["dep:rcgen"] [dev-dependencies] -async-tungstenite = { version = "0.28.0", features = ["tokio-runtime"] } +async-tungstenite = { version = "0.28.1", features = ["tokio-runtime"] } reqwest = { version = "0.12.9", default-features = false, features = ["cookies", "json", "rustls-tls", "stream"] } tungstenite = "0.24.0" diff --git a/backend/deny.toml b/backend/deny.toml index 15c1a94..b860a46 100644 --- a/backend/deny.toml +++ b/backend/deny.toml @@ -11,6 +11,9 @@ # Root options +# The graph table configures how the dependency graph is constructed and thus +# which crates the checks are performed against +[graph] # If 1 or more target triples (and optionally, target_features) are specified, # only the specified targets will be checked when running `cargo deny check`. # This means, if a particular package is only ever used as a target specific @@ -22,7 +25,7 @@ targets = [ # The triple can be any string, but only the target triples built in to # rustc (as of 1.40) can be checked against actual config expressions - #{ triple = "x86_64-unknown-linux-musl" }, + #"x86_64-unknown-linux-musl", # You can also specify which target_features you promise are enabled for a # particular target. target_features are currently not validated against # the actual valid features supported by the target architecture. @@ -46,6 +49,9 @@ no-default-features = false # If set, these feature will be enabled when collecting metadata. If `--features` # is specified on the cmd line they will take precedence over this option. #features = [] + +# The output table provides options for how/if diagnostics are outputted +[output] # When outputting inclusion graphs in diagnostics that include features, this # option can be used to specify the depth at which feature edges will be added. # This option is included since the graphs can be quite large and the addition @@ -57,35 +63,18 @@ feature-depth = 1 # More documentation for the advisories section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] -# The path where the advisory database is cloned/fetched into -db-path = "~/.cargo/advisory-db" +# The path where the advisory databases are cloned/fetched into +#db-path = "$CARGO_HOME/advisory-dbs" # The url(s) of the advisory databases to use -db-urls = ["https://github.com/rustsec/advisory-db"] -# The lint level for security vulnerabilities -vulnerability = "deny" -# The lint level for unmaintained crates -unmaintained = "warn" -# The lint level for crates that have been yanked from their source registry -yanked = "warn" -# The lint level for crates with security notices. Note that as of -# 2019-12-17 there are no security notice advisories in -# https://github.com/rustsec/advisory-db -notice = "warn" +#db-urls = ["https://github.com/rustsec/advisory-db"] # A list of advisory IDs to ignore. Note that ignored advisories will still # output a note when they are encountered. ignore = [ #"RUSTSEC-0000-0000", + #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" }, + #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish + #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" }, ] -# Threshold for security vulnerabilities, any vulnerability with a CVSS score -# lower than the range specified will be ignored. Note that ignored advisories -# will still output a note when they are encountered. -# * None - CVSS Score 0.0 -# * Low - CVSS Score 0.1 - 3.9 -# * Medium - CVSS Score 4.0 - 6.9 -# * High - CVSS Score 7.0 - 8.9 -# * Critical - CVSS Score 9.0 - 10.0 -#severity-threshold = - # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library. # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support. @@ -96,41 +85,10 @@ ignore = [ # More documentation for the licenses section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html [licenses] -# The lint level for crates which do not have a detectable license -unlicensed = "allow" # List of explicitly allowed licenses # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. -allow = [ - "MIT", - "Apache-2.0", - "ISC", - "MPL-2.0", - "Unicode-3.0", - "Unicode-DFS-2016", - "BSD-3-Clause" - #"Apache-2.0 WITH LLVM-exception", -] -# List of explicitly disallowed licenses -# See https://spdx.org/licenses/ for list of possible licenses -# [possible values: any SPDX 3.11 short identifier (+ optional exception)]. -deny = [ - #"Nokia", -] -# Lint level for licenses considered copyleft -copyleft = "warn" -# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses -# * both - The license will be approved if it is both OSI-approved *AND* FSF -# * either - The license will be approved if it is either OSI-approved *OR* FSF -# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF -# * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved -# * neither - This predicate is ignored and the default lint level is used -allow-osi-fsf-free = "neither" -# Lint level used when no other predicates are matched -# 1. License isn't in the allow or deny lists -# 2. License isn't copyleft -# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither" -default = "deny" +allow = ["AGPL-3.0", "Apache-2.0", "BSD-3-Clause", "ISC", "MIT", "MPL-2.0", "Unicode-3.0"] # The confidence threshold for detecting a license from license text. # The higher the value, the more closely the license text must be to the # canonical license text of a valid SPDX license file. @@ -141,28 +99,13 @@ confidence-threshold = 0.8 exceptions = [ # Each entry is the crate and version constraint, and its specific allow # list - #{ allow = ["Zlib"], name = "adler32", version = "*" }, + #{ allow = ["Zlib"], crate = "adler32" }, ] -# Some crates don't have (easily) machine readable licensing information, -# adding a clarification entry for it allows you to manually specify the -# licensing information -#[[licenses.clarify]] -# The name of the crate the clarification applies to -#name = "ring" -# The optional version constraint for the crate -#version = "*" -# The SPDX expression for the license requirements of the crate -#expression = "MIT AND ISC AND OpenSSL" -# One or more files in the crate's source used as the "source of truth" for -# the license expression. If the contents match, the clarification will be used -# when running the license check, otherwise the clarification will be ignored -# and the crate will be checked normally, which may produce warnings or errors -# depending on the rest of your configuration -#license-files = [ - # Each entry is a crate relative path, and the (opaque) hash of its contents - #{ path = "LICENSE", hash = 0xbd0eed23 } -#] +[[licenses.clarify]] +crate = "ring" +expression = "ISC" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] [licenses.private] # If true, ignores workspace crates that aren't published, or are only @@ -192,33 +135,32 @@ wildcards = "allow" # * all - Both lowest-version and simplest-path are used highlight = "all" # The default lint level for `default` features for crates that are members of -# the workspace that is being checked. This can be overriden by allowing/denying +# the workspace that is being checked. This can be overridden by allowing/denying # `default` on a crate-by-crate basis if desired. workspace-default-features = "allow" # The default lint level for `default` features for external crates that are not -# members of the workspace. This can be overriden by allowing/denying `default` +# members of the workspace. This can be overridden by allowing/denying `default` # on a crate-by-crate basis if desired. external-default-features = "allow" # List of crates that are allowed. Use with care! allow = [ - #{ name = "ansi_term", version = "=0.11.0" }, + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" }, ] # List of crates to deny deny = [ - # Each entry the name of a crate and a version range. If version is - # not specified, all versions will be matched. - #{ name = "ansi_term", version = "=0.11.0" }, - # + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" }, # Wrapper crates can optionally be specified to allow the crate when it # is a direct dependency of the otherwise banned crate - #{ name = "ansi_term", version = "=0.11.0", wrappers = [] }, + #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] }, ] # List of features to allow/deny # Each entry the name of a crate and a version range. If version is # not specified, all versions will be matched. #[[bans.features]] -#name = "reqwest" +#crate = "reqwest" # Features to not allow #deny = ["json"] # Features to allow @@ -239,14 +181,16 @@ deny = [ # Certain crates/versions that will be skipped when doing duplicate detection. skip = [ - #{ name = "ansi_term", version = "=0.11.0" }, + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason why it can't be updated/removed" }, ] # Similarly to `skip` allows you to skip certain crates during duplicate # detection. Unlike skip, it also includes the entire tree of transitive # dependencies starting at the specified crate, up to a certain depth, which is # by default infinite. skip-tree = [ - #{ name = "ansi_term", version = "=0.11.0", depth = 20 }, + #"ansi_term@0.11.0", # will be skipped along with _all_ of its direct and transitive dependencies + #{ crate = "ansi_term@0.11.0", depth = 20 }, ] # This section is considered when running `cargo deny check sources`. @@ -266,9 +210,9 @@ allow-registry = ["https://github.com/rust-lang/crates.io-index"] allow-git = [] [sources.allow-org] -# 1 or more github.com organizations to allow git sources for -github = [""] -# 1 or more gitlab.com organizations to allow git sources for -gitlab = [""] -# 1 or more bitbucket.org organizations to allow git sources for -bitbucket = [""] +# github.com organizations to allow git sources for +github = [] +# gitlab.com organizations to allow git sources for +gitlab = [] +# bitbucket.org organizations to allow git sources for +bitbucket = [] diff --git a/backend/src/sysinfo.rs b/backend/src/sysinfo.rs index c90d3ef..255d852 100644 --- a/backend/src/sysinfo.rs +++ b/backend/src/sysinfo.rs @@ -5,12 +5,15 @@ use std::{ path::PathBuf, sync::{LazyLock, Mutex}, }; -use sysinfo::{CpuRefreshKind, Disks, MemoryRefreshKind, RefreshKind, System}; +use sysinfo::{CpuRefreshKind, DiskRefreshKind, Disks, MemoryRefreshKind, RefreshKind, System}; use tokio::task; static SYSTEM_INFO: LazyLock> = LazyLock::new(|| Mutex::new(System::new_all())); -static DISKS_INFO: LazyLock> = - LazyLock::new(|| Mutex::new(Disks::new_with_refreshed_list())); +static DISKS_INFO: LazyLock> = LazyLock::new(|| { + Mutex::new(Disks::new_with_refreshed_list_specifics( + DiskRefreshKind::nothing().with_storage(), + )) +}); #[derive(Serialize, Deserialize, Debug)] pub struct SystemInfo { @@ -32,7 +35,7 @@ pub async fn disk_info(path: PathBuf) -> Result { let disksinfo: Result, &str> = task::spawn_blocking(|| { let mut disks = DISKS_INFO.lock().map_err(|_| "could not lock disks info")?; - disks.refresh_list(); + disks.refresh_specifics(true, DiskRefreshKind::nothing().with_storage()); let disksinfo = disks .iter() .map(|disk| DiskInfo { @@ -78,9 +81,9 @@ pub async fn system_info(_user: UserToken) -> Result, ErrRespon .lock() .map_err(|_| ErrResponse::S500("could not lock system info"))?; sys.refresh_specifics( - RefreshKind::new() - .with_memory(MemoryRefreshKind::new().with_ram()) - .with_cpu(CpuRefreshKind::new().with_cpu_usage()), + RefreshKind::nothing() + .with_memory(MemoryRefreshKind::nothing().with_ram()) + .with_cpu(CpuRefreshKind::nothing().with_cpu_usage()), ); Ok(SystemInfo { total_memory: sys.total_memory(), diff --git a/backend/tests/backend/apps/proxy.rs b/backend/tests/backend/apps/proxy.rs index cf03243..96f7e9f 100644 --- a/backend/tests/backend/apps/proxy.rs +++ b/backend/tests/backend/apps/proxy.rs @@ -1,6 +1,5 @@ use async_tungstenite::tokio::{accept_async, connect_async}; use atrium::{apps::App, configuration::Config}; -use futures::SinkExt; use http::{ header::{CONNECTION, HOST, UPGRADE}, HeaderValue, diff --git a/frontend/pubspec.lock b/frontend/pubspec.lock index c8e71f8..af724d4 100644 --- a/frontend/pubspec.lock +++ b/frontend/pubspec.lock @@ -53,10 +53,10 @@ packages: dependency: transitive description: name: cli_util - sha256: c05b7406fdabc7a49a3929d4af76bcaccbbffcbcdcf185b082e1ae07da323d19 + sha256: ff6785f7e9e3c38ac98b2fb035701789de90154024a75b6cb926445e83197d1c url: "https://pub.dev" source: hosted - version: "0.4.1" + version: "0.4.2" clock: dependency: transitive description: @@ -101,10 +101,10 @@ packages: dependency: transitive description: name: csslib - sha256: "706b5707578e0c1b4b7550f64078f0a0f19dec3f50a178ffae7006b0a9ca58fb" + sha256: "09bad715f418841f976c77db72d5398dc1253c21fb9c0c7f0b0b985860b2d58e" url: "https://pub.dev" source: hosted - version: "1.0.0" + version: "1.0.2" dbus: dependency: transitive description: @@ -218,10 +218,10 @@ packages: dependency: "direct dev" description: name: flutter_launcher_icons - sha256: "619817c4b65b322b5104b6bb6dfe6cda62d9729bd7ad4303ecc8b4e690a67a77" + sha256: "31cd0885738e87c72d6f055564d37fabcdacee743b396b78c7636c169cac64f5" url: "https://pub.dev" source: hosted - version: "0.14.1" + version: "0.14.2" flutter_lints: dependency: "direct dev" description: @@ -281,10 +281,18 @@ packages: dependency: transitive description: name: html - sha256: "3a7812d5bcd2894edf53dfaf8cd640876cf6cef50a8f238745c8b8120ea74d3a" + sha256: "1fc58edeaec4307368c60d59b7e15b9d658b57d7f3125098b6294153c75337ec" url: "https://pub.dev" source: hosted - version: "0.15.4" + version: "0.15.5" + http: + dependency: transitive + description: + name: http + sha256: b9c29a161230ee03d3ccf545097fccd9b87a5264228c5d348202e0f0c28f9010 + url: "https://pub.dev" + source: hosted + version: "1.2.2" http_parser: dependency: transitive description: @@ -465,18 +473,18 @@ packages: dependency: transitive description: name: path_provider_android - sha256: c464428172cb986b758c6d1724c603097febb8fb855aa265aeecc9280c294d4a + sha256: "4adf4fd5423ec60a29506c76581bc05854c55e3a0b72d35bb28d661c9686edf2" url: "https://pub.dev" source: hosted - version: "2.2.12" + version: "2.2.15" path_provider_foundation: dependency: transitive description: name: path_provider_foundation - sha256: f234384a3fdd67f989b4d54a5d73ca2a6c422fa55ae694381ae0f4375cd1ea16 + sha256: "4843174df4d288f5e29185bd6e72a6fbdf5a4a4602717eed565497429f179942" url: "https://pub.dev" source: hosted - version: "2.4.0" + version: "2.4.1" path_provider_linux: dependency: transitive description: @@ -569,10 +577,10 @@ packages: dependency: transitive description: name: shared_preferences_android - sha256: "3b9febd815c9ca29c9e3520d50ec32f49157711e143b7a4ca039eb87e8ade5ab" + sha256: "7f172d1b06de5da47b6264c2692ee2ead20bbbc246690427cdb4fc301cd0c549" url: "https://pub.dev" source: hosted - version: "2.3.3" + version: "2.3.4" shared_preferences_foundation: dependency: transitive description: @@ -686,10 +694,10 @@ packages: dependency: transitive description: name: timezone - sha256: "2236ec079a174ce07434e89fcd3fcda430025eb7692244139a9cf54fdcf1fc7d" + sha256: ffc9d5f4d1193534ef051f9254063fa53d588609418c84299956c3db9383587d url: "https://pub.dev" source: hosted - version: "0.9.4" + version: "0.10.0" typed_data: dependency: transitive description: @@ -718,34 +726,34 @@ packages: dependency: transitive description: name: url_launcher_android - sha256: "8fc3bae0b68c02c47c5c86fa8bfa74471d42687b0eded01b78de87872db745e2" + sha256: "6fc2f56536ee873eeb867ad176ae15f304ccccc357848b351f6f0d8d4a40d193" url: "https://pub.dev" source: hosted - version: "6.3.12" + version: "6.3.14" url_launcher_ios: dependency: transitive description: name: url_launcher_ios - sha256: e43b677296fadce447e987a2f519dcf5f6d1e527dc35d01ffab4fff5b8a7063e + sha256: "16a513b6c12bb419304e72ea0ae2ab4fed569920d1c7cb850263fe3acc824626" url: "https://pub.dev" source: hosted - version: "6.3.1" + version: "6.3.2" url_launcher_linux: dependency: transitive description: name: url_launcher_linux - sha256: e2b9622b4007f97f504cd64c0128309dfb978ae66adbe944125ed9e1750f06af + sha256: "4e9ba368772369e3e08f231d2301b4ef72b9ff87c31192ef471b380ef29a4935" url: "https://pub.dev" source: hosted - version: "3.2.0" + version: "3.2.1" url_launcher_macos: dependency: transitive description: name: url_launcher_macos - sha256: "769549c999acdb42b8bcfa7c43d72bf79a382ca7441ab18a808e101149daf672" + sha256: "17ba2000b847f334f16626a574c702b196723af2a289e7a93ffcb79acff855c2" url: "https://pub.dev" source: hosted - version: "3.2.1" + version: "3.2.2" url_launcher_platform_interface: dependency: transitive description: @@ -798,18 +806,18 @@ packages: dependency: transitive description: name: video_player_android - sha256: "2800d68d6d5b4c22da62453568ed68e63c35bea524d4fa42062e53d6bb591433" + sha256: "391e092ba4abe2f93b3e625bd6b6a6ec7d7414279462c1c0ee42b5ab8d0a0898" url: "https://pub.dev" source: hosted - version: "2.7.13" + version: "2.7.16" video_player_avfoundation: dependency: transitive description: name: video_player_avfoundation - sha256: cd5ab8a8bc0eab65ab0cea40304097edc46da574c8c1ecdee96f28cd8ef3792f + sha256: f498e44a547a3572a928fa30ac8760e127d5e5fc86b81b10b0d56300866322f3 url: "https://pub.dev" source: hosted - version: "2.6.2" + version: "2.6.4" video_player_platform_interface: dependency: transitive description: @@ -822,10 +830,10 @@ packages: dependency: transitive description: name: video_player_web - sha256: "6dcdd298136523eaf7dfc31abaf0dfba9aa8a8dbc96670e87e9d42b6f2caf774" + sha256: "881b375a934d8ebf868c7fb1423b2bfaa393a0a265fa3f733079a86536064a10" url: "https://pub.dev" source: hosted - version: "2.3.2" + version: "2.3.3" vm_service: dependency: transitive description: @@ -887,18 +895,18 @@ packages: dependency: transitive description: name: webview_flutter_wkwebview - sha256: d4034901d96357beb1b6717ebf7d583c88e40cfc6eb85fe76dd1bf0979a9f251 + sha256: b7e92f129482460951d96ef9a46b49db34bd2e1621685de26e9eaafd9674e7eb url: "https://pub.dev" source: hosted - version: "3.16.0" + version: "3.16.3" win32: dependency: transitive description: name: win32 - sha256: "2735daae5150e8b1dfeb3eb0544b4d3af0061e9e82cef063adcd583bdae4306a" + sha256: "8b338d4486ab3fbc0ba0db9f9b4f5239b6697fcee427939a40e720cbb9ee0a69" url: "https://pub.dev" source: hosted - version: "5.7.0" + version: "5.9.0" win32_registry: dependency: transitive description: