From f0b7f55bf515f85bdb72975f355e297badc8a2f4 Mon Sep 17 00:00:00 2001
From: ysaito1001 <gperson22@gmail.com>
Date: Mon, 31 Oct 2022 15:06:09 -0500
Subject: [PATCH] Fix cargo audit issue on chrono (#1907)

* Avoid the chrono crate depending on the time crate

This commit is in response to RUSTSEC-2020-0071 where there is a
potential segfault in the time crate. The aws-smithy-types-convert
crate now disables the default features of the chrono crate so that
it will not depend on the time crate.

* Depend on lambda_http without RUSTSEC-2020-0071

This commit updates the version of lambda_http used by aws-smithy-http-server
and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of
lambda_http used the chrono crate in a way that exposed a security issue
described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those
two crates do not exhibit vulnerabilities as reported by cargo audit.

* Bump minor version of lambda_http in pokemon-service

This commit updates the version of `lambda_http` used by `pokemon-service`
from 0.6.0 to 0.7.0. This is in sync with the fact that both
`aws-smithy-http-server` and `aws-smithy-http-server-python` now depend
on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service`
to fail to compile due to an error at `lambda_http::run(handler)` in the
main function of the `pokemon-service-lambda` binary:
the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not
implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>`

* Depend on lambda-http 0.7.1

This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in
the crates within the top-level `rust-runtime` workspace. These updates
are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556

* Update CHANGELOG.next.toml

* Address https://github.com/awslabs/smithy-rs/pull/1907\#pullrequestreview-1161609833

Co-authored-by: Saito <awsaito@c889f3b5ddc4.ant.amazon.com>
Co-authored-by: Zelda Hessler <zhessler@amazon.com>
---
 CHANGELOG.next.toml                                         | 6 ++++++
 rust-runtime/aws-smithy-http-server-python/Cargo.toml       | 2 +-
 rust-runtime/aws-smithy-http-server/Cargo.toml              | 2 +-
 .../examples/pokemon-service/Cargo.toml                     | 2 +-
 rust-runtime/aws-smithy-types-convert/Cargo.toml            | 2 +-
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
index 4be2815b37..64cfb40a1e 100644
--- a/CHANGELOG.next.toml
+++ b/CHANGELOG.next.toml
@@ -67,3 +67,9 @@ message = "Upgrade Smithy to v1.26"
 references = ["smithy-rs#1929"]
 meta = { "breaking" = false, "tada" = true, "bug" = false, "target" = "all"}
 author = "Velfi"
+
+[[smithy-rs]]
+message = "Fix cargo audit issue on chrono."
+references = ["smithy-rs#1907"]
+meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "all" }
+author = "ysaito1001"
diff --git a/rust-runtime/aws-smithy-http-server-python/Cargo.toml b/rust-runtime/aws-smithy-http-server-python/Cargo.toml
index 52e1e537af..1a4e4098b0 100644
--- a/rust-runtime/aws-smithy-http-server-python/Cargo.toml
+++ b/rust-runtime/aws-smithy-http-server-python/Cargo.toml
@@ -22,7 +22,7 @@ bytes = "1.2"
 futures = "0.3"
 http = "0.2"
 hyper = { version = "0.14.20", features = ["server", "http1", "http2", "tcp", "stream"] }
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 num_cpus = "1.13.1"
 parking_lot = "0.12.1"
 pin-project-lite = "0.2"
diff --git a/rust-runtime/aws-smithy-http-server/Cargo.toml b/rust-runtime/aws-smithy-http-server/Cargo.toml
index 055b7aab8c..10888a09e5 100644
--- a/rust-runtime/aws-smithy-http-server/Cargo.toml
+++ b/rust-runtime/aws-smithy-http-server/Cargo.toml
@@ -26,7 +26,7 @@ futures-util = { version = "0.3", default-features = false }
 http = "0.2"
 http-body = "0.4"
 hyper = { version = "0.14.12", features = ["server", "http1", "http2", "tcp", "stream"] }
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 mime = "0.3"
 nom = "7"
 pin-project-lite = "0.2"
diff --git a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml
index f1b842f7e3..e6a078f897 100644
--- a/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml
+++ b/rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml
@@ -37,7 +37,7 @@ rustls-pemfile = "1.0.1"
 futures-util = "0.3"
 
 # This dependency is only required for the `pokemon-service-lambda` program.
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 
 # Local paths
 aws-smithy-http-server = { path = "../../" }
diff --git a/rust-runtime/aws-smithy-types-convert/Cargo.toml b/rust-runtime/aws-smithy-types-convert/Cargo.toml
index 552c3e106a..c9ffbd22a0 100644
--- a/rust-runtime/aws-smithy-types-convert/Cargo.toml
+++ b/rust-runtime/aws-smithy-types-convert/Cargo.toml
@@ -13,7 +13,7 @@ convert-time = ["aws-smithy-types", "time"]
 
 [dependencies]
 aws-smithy-types = { path = "../aws-smithy-types", optional = true }
-chrono = { version = "0.4.19", optional = true }
+chrono = { version = "0.4.19", optional = true, default-features = false, features = ["std"] }
 time = { version = "0.3.4", optional = true }
 
 [package.metadata.docs.rs]