🔒 Warden: Update vulnerable crates and cap unbounded reader#616
🔒 Warden: Update vulnerable crates and cap unbounded reader#616madmax983 wants to merge 1 commit into
Conversation
- Switched from `serde_yml` to `serde_yaml_ng` to resolve memory vulnerabilities. - Updated `litellm-rs` and `ratatui` to remove vulnerable/unmaintained dependencies like `libyml` and `paste`, and resolve `lru` stacked borrow violation. - Capped unbounded `tokio` socket reader with `.take()` to prevent memory exhaustion DoS. - Fixed pedantic Clippy warnings. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including upgrading ratatui to 0.30, litellm-rs to 0.5.0, and replacing serde_yml with serde_yaml_ng. It also introduces a 1MB read limit on the socket in src/run/swebench.rs and refactors test timeout matches and helper functions in src/stream/sweep_webhook.rs. The review feedback suggests optimizing the socket reading logic in src/run/swebench.rs by calling .take() directly on the socket instead of wrapping it in a redundant BufReader, which avoids unnecessary memory allocations and simplifies the subsequent .into_inner() calls.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| let reader = tokio::io::BufReader::new(socket); | ||
| let mut limited_reader = reader.take(1024 * 1024); // Cap to 1MB max reader length |
There was a problem hiding this comment.
Using BufReader here is redundant and inefficient because we are already reading in chunks of 8192 bytes. It also introduces unnecessary memory allocation and extra copying overhead on every connection, only to be discarded immediately after the loop. We can call .take() directly on the socket instead, which simplifies the code and avoids the double .into_inner() calls later.
let mut limited_reader = socket.take(1024 * 1024); // Cap to 1MB max reader length| let _ = limited_reader | ||
| .into_inner() | ||
| .into_inner() |
There was a problem hiding this comment.
Since we can call .take() directly on the socket without wrapping it in a BufReader, we only need a single .into_inner() call to retrieve the underlying TcpStream for writing the response.
let _ = limited_reader
.into_inner()
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## trunk #616 +/- ##
=======================================
Coverage 85.26% 85.26%
=======================================
Files 115 115
Lines 65856 65858 +2
=======================================
+ Hits 56150 56152 +2
Misses 9706 9706 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1 participant
serde_ymlandlibymlhave unsound memory vulnerabilities.lru@0.12.5violates Stacked Borrows.pasteis unmaintained. Unbounded network reader opened vector for memory exhaustion DoS.serde_ymland replaced it withserde_yaml_ng. Updatedlitellm-rsto0.5.0andratatuito0.30to patch their vulnerable transient dependencies. Capped socket reader with.take(1024 * 1024).cargo auditwith no warnings remaining. Rancargo testsuite successfully.PR created automatically by Jules for task 17265787013832725573 started by @madmax983