Merge pull request #461 from EspressoSystems/ma/remove-tempdir-crate

Cargo audit fixes, separate CI job

.cargo/audit.toml

@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # remove_dir_all (used by deprecated tempdir crate)
+    "RUSTSEC-2023-0018",
+    # DoS in WebPKI that comes with tide_disco
+    "RUSTSEC-2023-0052",
+    # Tungstenite allows remote attackers to cause a denial of service
+    # Dependency of async-tungstenite -> tide-websockets / surf-disco
+    "RUSTSEC-2023-0065",
+]

.github/workflows/audit.yml

@@ -0,0 +1,19 @@
+name: Security audit
+on:
+  push:
+    # For PR we only want to fail if dependencies were changed.
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  # Run the audit job once a day on main.
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # See https://github.com/marketplace/actions/rust-audit-check for docs
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build.yml

@@ -48,9 +48,6 @@ jobs:
           token: ${{ github.token }}
           args: --workspace --all-features --all-targets -- -D warnings
 
-      - name: Audit
-        run: cargo audit --ignore RUSTSEC-2023-0018 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2023-0065
-
       - name: Build
         # Build in release without `testing` feature, this should work without `hotshot_example` config.
         run: |

Cargo.toml

@@ -51,7 +51,7 @@ testing = [
 	"portpicker",
 	"rand",
 	"spin_sleep",
-	"tempdir",
+	"tempfile",
 ]
 
 [[example]]
@@ -111,7 +111,7 @@ hotshot-example-types = { git = "https://github.com/EspressoSystems/HotShot.git"
 portpicker = { version = "0.1", optional = true }
 rand = { version = "0.8", optional = true }
 spin_sleep = { version = "1.2", optional = true }
-tempdir = { version = "0.3", optional = true }
+tempfile = { version = "3.10", optional = true }
 
 # Dependencies enabled by feature "backtrace-on-stack-overflow".
 #
@@ -132,4 +132,4 @@ portpicker = "0.1"
 rand = "0.8"
 spin_sleep = "1.2"
 surf = "2.3"
-tempdir = "0.3"
+tempfile = "3.10"

examples/simple-server.rs

@@ -72,7 +72,7 @@ async fn init_db() -> Db {
 
 #[cfg(target_os = "windows")]
 async fn init_db() -> Db {
-    Db::new("simple-server-db").unwrap()
+    Db::new().unwrap()
 }
 
 #[cfg(not(target_os = "windows"))]

src/availability.rs

@@ -497,7 +497,7 @@ mod test {
     use portpicker::pick_unused_port;
     use std::time::Duration;
     use surf_disco::Client;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
     use tide_disco::App;
     use toml::toml;
 
@@ -869,7 +869,7 @@ mod test {
     async fn test_extensions() {
         setup_test();
 
-        let dir = TempDir::new("test_availability_extensions").unwrap();
+        let dir = TempDir::new().unwrap();
         let mut data_source = ExtensibleDataSource::new(
             MockDataSource::create(dir.path(), Default::default())
                 .await

src/data_source/fs.rs

@@ -236,16 +236,16 @@ mod impl_testable_data_source {
     };
     use async_trait::async_trait;
     use hotshot::types::Event;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
 
     #[async_trait]
     impl<P: AvailabilityProvider<MockTypes> + Default> DataSourceLifeCycle
         for FileSystemDataSource<MockTypes, P>
     {
         type Storage = TempDir;
 
-        async fn create(node_id: usize) -> Self::Storage {
-            TempDir::new(&format!("file_system_data_source_{node_id}")).unwrap()
+        async fn create(_node_id: usize) -> Self::Storage {
+            TempDir::new().unwrap()
         }
 
         async fn connect(storage: &Self::Storage) -> Self {

src/data_source/storage/ledger_log.rs

@@ -271,13 +271,13 @@ mod test {
     use super::*;
     use crate::testing::setup_test;
     use atomic_store::AtomicStore;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
 
     #[async_std::test]
     async fn test_ledger_log_creation() {
         setup_test();
 
-        let dir = TempDir::new("test_ledger_log").unwrap();
+        let dir = TempDir::new().unwrap();
 
         // Create and populuate a log.
         {
@@ -307,7 +307,7 @@ mod test {
     async fn test_ledger_log_insert() {
         setup_test();
 
-        let dir = TempDir::new("test_ledger_log").unwrap();
+        let dir = TempDir::new().unwrap();
         let mut loader = AtomicStoreLoader::create(dir.path(), "test_ledger_log").unwrap();
         let mut log = LedgerLog::<u64>::create(&mut loader, "ledger", 3).unwrap();
         let mut store = AtomicStore::open(loader).unwrap();
@@ -351,7 +351,7 @@ mod test {
     async fn test_ledger_log_iter() {
         setup_test();
 
-        let dir = TempDir::new("test_ledger_log").unwrap();
+        let dir = TempDir::new().unwrap();
         let mut loader = AtomicStoreLoader::create(dir.path(), "test_ledger_log").unwrap();
         let mut log = LedgerLog::<u64>::create(&mut loader, "ledger", 3).unwrap();
         let mut store = AtomicStore::open(loader).unwrap();

src/data_source/storage/pruning.rs

@@ -1,3 +1,15 @@
+// Copyright (c) 2022 Espresso Systems (espressosys.com)
+// This file is part of the HotShot Query Service library.
+//
+// This program is free software: you can redistribute it and/or modify it under the terms of the GNU
+// General Public License as published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+// This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+// even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+// You should have received a copy of the GNU General Public License along with this program. If not,
+// see <https://www.gnu.org/licenses/>.
+
 use anyhow::bail;
 use async_trait::async_trait;
 use std::error::Error;

src/lib.rs

@@ -564,7 +564,7 @@ mod test {
     use std::ops::RangeBounds;
     use std::time::Duration;
     use surf_disco::Client;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
     use tide_disco::App;
     use toml::toml;
 
@@ -703,7 +703,7 @@ mod test {
 
     #[async_std::test]
     async fn test_composition() {
-        let dir = TempDir::new("test_composition").unwrap();
+        let dir = TempDir::new().unwrap();
         let mut loader = AtomicStoreLoader::create(dir.path(), "test_composition").unwrap();
         let mut hotshot_qs = MockDataSource::create_with_store(&mut loader, Default::default())
             .await

src/node.rs

@@ -200,7 +200,7 @@ mod test {
     use portpicker::pick_unused_port;
     use std::time::Duration;
     use surf_disco::Client;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
     use tide_disco::App;
     use toml::toml;
 
@@ -360,7 +360,7 @@ mod test {
     async fn test_extensions() {
         setup_test();
 
-        let dir = TempDir::new("test_node_extensions").unwrap();
+        let dir = TempDir::new().unwrap();
         let data_source = ExtensibleDataSource::new(
             MockDataSource::create(dir.path(), Default::default())
                 .await

src/status.rs

@@ -133,7 +133,7 @@ mod test {
     use std::str::FromStr;
     use std::time::Duration;
     use surf_disco::Client;
-    use tempdir::TempDir;
+    use tempfile::TempDir;
     use tide_disco::{App, Url};
     use toml::toml;
 
@@ -240,7 +240,7 @@ mod test {
     async fn test_extensions() {
         setup_test();
 
-        let dir = TempDir::new("test_status_extensions").unwrap();
+        let dir = TempDir::new().unwrap();
         let data_source = ExtensibleDataSource::new(
             MockDataSource::create(dir.path(), Default::default())
                 .await