RUSTSEC-2022-0055: No default limit put on request bodies

[github-actions]

No default limit put on request bodies

Details
Package	axum-core
Version	0.1.2
URL	tokio-rs/axum#1346
Date	2022-08-31
Patched versions	>=0.2.8, <0.3.0-rc.1,>=0.3.0-rc.2

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.

This also applies to these extractors which used Bytes::from_request
internally:

• axum::extract::Form
• axum::extract::Json
• String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and
>= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.

See advisory page for additional details.

[NicolaLS]

blocked on djc/askama#716

[dpc]

> cargo tree | grep axum
│   │   │   │   │   │   ├── axum v0.6.15
│   │   │   │   │   │   │   ├── axum-core v0.3.4
│   │   │   │   │   ├── axum v0.6.15 (*)
│   │   │   │   │   ├── axum-macros v0.3.7 (proc-macro)
│   ├── askama_axum v0.2.1
│   │   ├── axum-core v0.3.4 (*)
│   ├── axum v0.6.15 (*)
│   ├── axum-macros v0.3.7 (proc-macro) (*)
├── axum v0.6.15 (*)
├── axum-macros v0.3.7 (proc-macro) (*)