From 122dcd0f66bdbc3ca0bd07855a9d9765e7f5d316 Mon Sep 17 00:00:00 2001 From: Weston Pace Date: Thu, 2 Jul 2026 16:54:34 -0700 Subject: [PATCH] chore: ignore RUSTSEC-2026-0194 and RUSTSEC-2026-0195 in cargo deny (#3616) quick-xml < 0.41.0 has two DoS advisories (quadratic attribute-name check and unbounded namespace allocation in NsReader). All three versions in our lockfile (0.26.0, 0.38.4, 0.39.4) are below the patched threshold. These are pulled in transitively by inferno (dev-only flame-graph dep), lance-namespace-impls (git dep from lance), and opendal/reqsign (cloud storage XML parsing). None of these paths expose attacker- controlled XML; clearing them requires upstream to upgrade to quick-xml >= 0.41.0. Co-authored-by: Claude Sonnet 4.6 --- deny.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/deny.toml b/deny.toml index a34901fdb..154737b7e 100644 --- a/deny.toml +++ b/deny.toml @@ -119,6 +119,18 @@ ignore = [ # https://rustsec.org/advisories/RUSTSEC-2026-0177 { id = "RUSTSEC-2026-0176", reason = "pyo3 in Python bindings; awaiting patched pyo3 release" }, { id = "RUSTSEC-2026-0177", reason = "pyo3 in Python bindings; awaiting patched pyo3 release" }, + + # quick-xml < 0.41.0: quadratic runtime on duplicate attribute names (DoS). + # quick-xml < 0.41.0: unbounded namespace-declaration allocation in NsReader (DoS). + # Pulled in transitively by inferno (dev-only flame-graph dep), lance-namespace-impls + # (git dep from lance), and opendal/reqsign (cloud storage XML parsing). The XML + # parsed by opendal/reqsign comes from trusted cloud-storage endpoints (S3, GCS, + # Azure), not attacker-controlled input. Clearing requires upstream crates to migrate + # to quick-xml >= 0.41.0. + # https://rustsec.org/advisories/RUSTSEC-2026-0194 + # https://rustsec.org/advisories/RUSTSEC-2026-0195 + { id = "RUSTSEC-2026-0194", reason = "transitive via inferno/lance/opendal; XML from trusted cloud endpoints, not attacker-controlled" }, + { id = "RUSTSEC-2026-0195", reason = "transitive via inferno/lance/opendal; XML from trusted cloud endpoints, not attacker-controlled" }, ] # ---------------------------------------------------------------------------