refactor(request-reponse): replace serde_cbor with cbor4ii

As per `RUSTSEC-2021-0127`, serde_cbor is unmaintained. Fixes #4182. Related: rustsec/advisory-db#1114. Pull-Request: #4187.
libp2p · Jul 20, 2023 · 52cf26f · 52cf26f
1 parent b18c77e
commit 52cf26f
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 30 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -86,7 +86,7 @@ libp2p-pnet = { version = "0.23.0", path = "transports/pnet" }
 libp2p-quic = { version = "0.8.0-alpha", path = "transports/quic" }
 libp2p-relay = { version = "0.16.1", path = "protocols/relay" }
 libp2p-rendezvous = { version = "0.13.0", path = "protocols/rendezvous" }
-libp2p-request-response = { version = "0.25.0", path = "protocols/request-response" }
+libp2p-request-response = { version = "0.25.1", path = "protocols/request-response" }
 libp2p-swarm = { version = "0.43.1", path = "swarm" }
 libp2p-swarm-derive = { version = "0.33.0", path = "swarm-derive" }
 libp2p-swarm-test = { version = "0.2.0", path = "swarm-test" }

diff --git a/protocols/request-response/CHANGELOG.md b/protocols/request-response/CHANGELOG.md
@@ -1,4 +1,11 @@
-## 0.25.0 
+## 0.25.1 - unreleased
+
+- Replace unmaintained `serde_cbor` dependency with `cbor4ii`.
+  See [PR 4187].
+
+[PR 4187]: https://github.com/libp2p/rust-libp2p/pull/4187
+
+## 0.25.0
 
 - Add `request_response::json::Behaviour` and `request_response::cbor::Behaviour` building on top of the `serde` traits.
   To conveniently construct these, we remove the `Codec` parameter from `Behaviour::new` and add `Behaviour::with_codec`.

diff --git a/protocols/request-response/Cargo.toml b/protocols/request-response/Cargo.toml
@@ -3,7 +3,7 @@ name = "libp2p-request-response"
 edition = "2021"
 rust-version = { workspace = true }
 description = "Generic Request/Response Protocols"
-version = "0.25.0"
+version = "0.25.1"
 authors = ["Parity Technologies <admin@parity.io>"]
 license = "MIT"
 repository = "https://github.com/libp2p/rust-libp2p"
@@ -12,6 +12,7 @@ categories = ["network-programming", "asynchronous"]
 
 [dependencies]
 async-trait = "0.1"
+cbor4ii = { version = "0.3.1", features = ["serde1", "use_std"], optional = true }
 futures = "0.3.28"
 instant = "0.1.12"
 libp2p-core = { workspace = true }
@@ -20,14 +21,13 @@ libp2p-identity = { workspace = true }
 rand = "0.8"
 serde = { version = "1.0", optional = true}
 serde_json = { version = "1.0.100", optional = true }
-serde_cbor = { version = "0.11.2", optional = true }
 smallvec = "1.11.0"
 void = "1.0.2"
 log = "0.4.19"
 
 [features]
 json = ["dep:serde", "dep:serde_json", "libp2p-swarm/macros"]
-cbor = ["dep:serde", "dep:serde_cbor", "libp2p-swarm/macros"]
+cbor = ["dep:serde", "dep:cbor4ii", "libp2p-swarm/macros"]
 
 [dev-dependencies]
 async-std = { version = "1.6.2", features = ["attributes"] }

diff --git a/protocols/request-response/src/cbor.rs b/protocols/request-response/src/cbor.rs
@@ -18,7 +18,8 @@
 // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 // DEALINGS IN THE SOFTWARE.
 
-/// A request-response behaviour using [`serde_cbor`] for serializing and deserializing the messages.
+/// A request-response behaviour using [`cbor4ii::serde`] for serializing and
+/// deserializing the messages.
 ///
 /// # Example
 ///
@@ -44,11 +45,12 @@ pub type Behaviour<Req, Resp> = crate::Behaviour<codec::Codec<Req, Resp>>;
 
 mod codec {
     use async_trait::async_trait;
+    use cbor4ii::core::error::DecodeError;
     use futures::prelude::*;
     use futures::{AsyncRead, AsyncWrite};
     use libp2p_swarm::StreamProtocol;
     use serde::{de::DeserializeOwned, Serialize};
-    use std::{io, marker::PhantomData};
+    use std::{collections::TryReserveError, convert::Infallible, io, marker::PhantomData};
 
     /// Max request size in bytes
     const REQUEST_SIZE_MAXIMUM: u64 = 1024 * 1024;
@@ -91,7 +93,7 @@ mod codec {
 
             io.take(REQUEST_SIZE_MAXIMUM).read_to_end(&mut vec).await?;
 
-            serde_cbor::from_slice(vec.as_slice()).map_err(into_io_error)
+            cbor4ii::serde::from_slice(vec.as_slice()).map_err(decode_into_io_error)
         }
 
         async fn read_response<T>(&mut self, _: &Self::Protocol, io: &mut T) -> io::Result<Resp>
@@ -102,7 +104,7 @@ mod codec {
 
             io.take(RESPONSE_SIZE_MAXIMUM).read_to_end(&mut vec).await?;
 
-            serde_cbor::from_slice(vec.as_slice()).map_err(into_io_error)
+            cbor4ii::serde::from_slice(vec.as_slice()).map_err(decode_into_io_error)
         }
 
         async fn write_request<T>(
@@ -114,7 +116,8 @@ mod codec {
         where
             T: AsyncWrite + Unpin + Send,
         {
-            let data: Vec<u8> = serde_cbor::to_vec(&req).map_err(into_io_error)?;
+            let data: Vec<u8> =
+                cbor4ii::serde::to_vec(Vec::new(), &req).map_err(encode_into_io_error)?;
 
             io.write_all(data.as_ref()).await?;
 
@@ -130,23 +133,34 @@ mod codec {
         where
             T: AsyncWrite + Unpin + Send,
         {
-            let data: Vec<u8> = serde_cbor::to_vec(&resp).map_err(into_io_error).unwrap();
+            let data: Vec<u8> =
+                cbor4ii::serde::to_vec(Vec::new(), &resp).map_err(encode_into_io_error)?;
 
             io.write_all(data.as_ref()).await?;
 
             Ok(())
         }
     }
 
-    fn into_io_error(err: serde_cbor::Error) -> io::Error {
-        if err.is_syntax() || err.is_data() {
-            return io::Error::new(io::ErrorKind::InvalidData, err);
-        }
-
-        if err.is_eof() {
-            return io::Error::new(io::ErrorKind::UnexpectedEof, err);
+    fn decode_into_io_error(err: cbor4ii::serde::DecodeError<Infallible>) -> io::Error {
+        match err {
+            cbor4ii::serde::DecodeError::Core(DecodeError::Read(e)) => {
+                io::Error::new(io::ErrorKind::Other, e)
+            }
+            cbor4ii::serde::DecodeError::Core(e @ DecodeError::Unsupported { .. }) => {
+                io::Error::new(io::ErrorKind::Unsupported, e)
+            }
+            cbor4ii::serde::DecodeError::Core(e @ DecodeError::Eof { .. }) => {
+                io::Error::new(io::ErrorKind::UnexpectedEof, e)
+            }
+            cbor4ii::serde::DecodeError::Core(e) => io::Error::new(io::ErrorKind::InvalidData, e),
+            cbor4ii::serde::DecodeError::Custom(e) => {
+                io::Error::new(io::ErrorKind::Other, e.to_string())
+            }
         }
+    }
 
+    fn encode_into_io_error(err: cbor4ii::serde::EncodeError<TryReserveError>) -> io::Error {
         io::Error::new(io::ErrorKind::Other, err)
     }
 }