Update whoami to address vulerability

https://github.com/spkenv/spk/security/dependabot/7 Err on the safe side and generate a unique hostname if it can't be determined (on the spfs side) so runtime pruning doesn't think two runtimes from different hosts that couldn't determine the hostname are from the same host. Signed-off-by: J Robert Ray <jrray@jrray.org>
spkenv · Aug 7, 2024 · 379af46 · 379af46
1 parent e25d2bd
commit 379af46
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -146,7 +146,7 @@ tracing = "0.1.35"
 tracing-capture = "0.1"
 tracing-subscriber = "0.3.14"
 ulid = "1.0"
-whoami = "1.2"
+whoami = "1.5"
 windows = "0.51"
 winfsp = { version = "0.9.3", default-features = false }
 winfsp-sys = "0.2"

diff --git a/crates/spfs/src/config.rs b/crates/spfs/src/config.rs
@@ -63,14 +63,23 @@ static CONFIG: OnceCell<RwLock<Arc<Config>>> = OnceCell::new();
 #[serde(default)]
 pub struct User {
     pub name: String,
-    pub domain: String,
+    pub domain: Option<String>,
 }
 
 impl Default for User {
     fn default() -> Self {
         Self {
             name: whoami::username(),
-            domain: whoami::hostname(),
+            domain: whoami::fallible::hostname().ok(),
+        }
+    }
+}
+
+impl std::fmt::Display for User {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match &self.domain {
+            Some(domain) => write!(f, "{}@{}", self.name, domain),
+            None => write!(f, "{}", self.name),
         }
     }
 }

diff --git a/crates/spfs/src/runtime/storage.rs b/crates/spfs/src/runtime/storage.rs
@@ -73,7 +73,8 @@ impl Default for Author {
     fn default() -> Self {
         Self {
             user_name: whoami::username(),
-            host_name: whoami::hostname(),
+            host_name: whoami::fallible::hostname()
+                .unwrap_or_else(|_| format!("unk-{}", ulid::Ulid::new())),
             created: chrono::Local::now(),
         }
     }

diff --git a/crates/spfs/src/tracking/tag.rs b/crates/spfs/src/tracking/tag.rs
@@ -41,7 +41,7 @@ impl Tag {
             name: spec.name(),
             target,
             parent: encoding::NULL_DIGEST.into(),
-            user: format!("{}@{}", config.user.name, config.user.domain),
+            user: format!("{}", config.user),
             time: Utc::now().trunc_subsecs(6), // ignore microseconds
         })
     }