Skip to content

Commit 5b8417e

Browse files
Assigned RUSTSEC-2024-0343 to nano-id (#1975)
Co-authored-by: Shnatsel <[email protected]>
1 parent d40f029 commit 5b8417e

File tree

2 files changed

+74
-74
lines changed

2 files changed

+74
-74
lines changed

.duplicate-id-guard

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
This file causes merge conflicts if two ID assignment jobs run concurrently.
22
This prevents duplicate ID assignment due to a race between those jobs.
3-
033b059b6cbbf2107fc1270372f4f929601a920f3927c9d46b3f1f937901c634 -
3+
355219d456e3bebbb0dae3cfbd423aff2ade3ac94ad1e1823fc344e6b5eae139 -
Lines changed: 73 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -1,73 +1,73 @@
1-
```toml
2-
[advisory]
3-
id = "RUSTSEC-0000-0000"
4-
package = "nano-id"
5-
date = "2024-06-03"
6-
categories = ["crypto-failure"]
7-
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
8-
9-
[affected]
10-
functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] }
11-
12-
[versions]
13-
patched = [">= 0.4.0"]
14-
```
15-
16-
# Reduced entropy due to inadequate character set usage
17-
18-
## Description
19-
20-
Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.
21-
22-
It should be noted that `nano_id::base64` is not affected by this vulnerability.
23-
24-
## Impact
25-
26-
This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.
27-
28-
## Patches
29-
30-
The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.
31-
32-
## PoC
33-
34-
```rust
35-
use std::collections::BTreeSet;
36-
37-
fn main() {
38-
test_base58();
39-
test_base62();
40-
}
41-
42-
fn test_base58() {
43-
let mut produced_symbols = BTreeSet::new();
44-
45-
for _ in 0..100_000 {
46-
let id = nano_id::base58::<10>();
47-
for c in id.chars() {
48-
produced_symbols.insert(c);
49-
}
50-
}
51-
52-
println!(
53-
"{} symbols generated from nano_id::base58",
54-
produced_symbols.len()
55-
);
56-
}
57-
58-
fn test_base62() {
59-
let mut produced_symbols = BTreeSet::new();
60-
61-
for _ in 0..100_000 {
62-
let id = nano_id::base62::<10>();
63-
for c in id.chars() {
64-
produced_symbols.insert(c);
65-
}
66-
}
67-
68-
println!(
69-
"{} symbols generated from nano_id::base62",
70-
produced_symbols.len()
71-
);
72-
}
73-
```
1+
```toml
2+
[advisory]
3+
id = "RUSTSEC-2024-0343"
4+
package = "nano-id"
5+
date = "2024-06-03"
6+
categories = ["crypto-failure"]
7+
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
8+
9+
[affected]
10+
functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] }
11+
12+
[versions]
13+
patched = [">= 0.4.0"]
14+
```
15+
16+
# Reduced entropy due to inadequate character set usage
17+
18+
## Description
19+
20+
Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.
21+
22+
It should be noted that `nano_id::base64` is not affected by this vulnerability.
23+
24+
## Impact
25+
26+
This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.
27+
28+
## Patches
29+
30+
The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.
31+
32+
## PoC
33+
34+
```rust
35+
use std::collections::BTreeSet;
36+
37+
fn main() {
38+
test_base58();
39+
test_base62();
40+
}
41+
42+
fn test_base58() {
43+
let mut produced_symbols = BTreeSet::new();
44+
45+
for _ in 0..100_000 {
46+
id = "RUSTSEC-2024-0343"
47+
for c in id.chars() {
48+
produced_symbols.insert(c);
49+
}
50+
}
51+
52+
println!(
53+
"{} symbols generated from nano_id::base58",
54+
produced_symbols.len()
55+
);
56+
}
57+
58+
fn test_base62() {
59+
let mut produced_symbols = BTreeSet::new();
60+
61+
for _ in 0..100_000 {
62+
id = "RUSTSEC-2024-0343"
63+
for c in id.chars() {
64+
produced_symbols.insert(c);
65+
}
66+
}
67+
68+
println!(
69+
"{} symbols generated from nano_id::base62",
70+
produced_symbols.len()
71+
);
72+
}
73+
```

0 commit comments

Comments
 (0)