RUSTSEC-2022-0055: No default limit put on request bodies

[github-actions]

No default limit put on request bodies

Details
Package	axum-core
Version	0.1.2
URL	tokio-rs/axum#1346
Date	2022-08-31
Patched versions	>=0.2.8, <0.3.0-rc.1,>=0.3.0-rc.2

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.

This also applies to these extractors which used Bytes::from_request
internally:

• axum::extract::Form
• axum::extract::Json
• String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and
>= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.

See advisory page for additional details.

[alvra]

This was resolved with dce1891.

Note that the issue doesn't affect the safety of this package because axum is a dev-dependency that is used only for testing against a controlled client.