Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS WebIdentityToken exposure in log files #2719

Closed
wkargul opened this issue Jul 30, 2024 · 8 comments
Closed

AWS WebIdentityToken exposure in log files #2719

wkargul opened this issue Jul 30, 2024 · 8 comments
Assignees
@rtyler
Labels
binding/rust Issues for the Rust crate bug Something isn't working

Comments

@wkargul
Copy link

wkargul commented Jul 30, 2024

https://rustsec.org/advisories/RUSTSEC-2024-0358

When using AWS WebIdentityTokens with the object_store crate, in the event of
a failure and automatic retry, the underlying reqwest error, including the
full URL with the credentials, potentially in the parameters, is written to the
logs.

 object_store v0.9.1
      └── datafusion-proto-common v39.0.0
          └── datafusion-proto v39.0.0
              └── deltalake-core v0.18.1
                  ├── deltalake v0.18.1
                  │   └── raw-service v1.0.4
                  └── deltalake-aws v0.1.2
                      └── deltalake v0.18.1 (*)
@wkargul wkargul added the bug Something isn't working label Jul 30, 2024
@rtyler
Copy link
Member

rtyler commented Jul 30, 2024

Can you try a local cargo update? The dependencies of deltalake-core 0.18.1 specify a newer object_store, so i'm not sure how the dependency tree shared above is possible 😕

@rtyler rtyler self-assigned this Jul 30, 2024
@rtyler rtyler added the binding/rust Issues for the Rust crate label Jul 30, 2024
@wkargul
Copy link
Author

wkargul commented Jul 30, 2024

Tried cargo update -p object_store
and

error: There are multiple `object_store` packages in your project, and the specification `object_store` is ambiguous.
Please re-run this command with one of the following specifications:
  [email protected]
  [email protected]

@wkargul
Copy link
Author

wkargul commented Jul 30, 2024
edited
Loading

Using deltalake = { version = "0.18.1", features = ["datafusion", "s3"] } in my Cargo.toml

@rtyler
Copy link
Member

rtyler commented Jul 30, 2024

I'm still unable to reproduce, with a new project and a cargo add --features datafusion,s3 I am only getting the latest object_store

plantain% cargo tree | grep -rin "object_store"
    │   │   │   │   ├── in v0.10.1
    │   │   │   │   │   ├── in v0.10.1 (*)
    │   │   │   │   ├── in v0.10.1 (*)
    │   │   │   ├── in v0.10.1 (*)
    │   │   │   │   ├── in v0.10.1 (*)
    │   │   │   ├── in v0.10.1 (*)
    │   │   ├── in v0.10.1 (*)
    │   ├── in v0.10.1 (*)

@wkargul
Copy link
Author

wkargul commented Jul 30, 2024
edited
Loading

I've removed target as well as tried with cargo clean - still have the error

@wkargul
Copy link
Author

wkargul commented Jul 30, 2024
edited
Loading

deltalake-core v0.18.1 depends on datafusion-proto v39.0.0 that uses datafusion-proto-common v39.0.0 that uses legacy object_store @rtyler

@rtyler
Copy link
Member

rtyler commented Jul 30, 2024

Aha, I see that. That's effectively an error in the datafusion dependency chain which we don't have a way to remedy other than upgrades. our main branch has datafusion 40 already in it, and the next Rust crate releases will include it

@rtyler
Copy link
Member

rtyler commented Aug 10, 2024

0.18.2 has the fix here i believe

@rtyler rtyler closed this as completed Aug 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rtyler rtyler

Labels
binding/rust Issues for the Rust crate bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rtyler @wkargul