Skip to content

security: upgrade TLS stack (tonic 0.12) to clear rustls-webpki high alert#71

Open
jhamon wants to merge 3 commits into
mainfrom
pin14/tls-webpki-tonic-0.12
Open

security: upgrade TLS stack (tonic 0.12) to clear rustls-webpki high alert#71
jhamon wants to merge 3 commits into
mainfrom
pin14/tls-webpki-tonic-0.12

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Clears the last open high Dependabot alert on this repo that a lockfile bump could not: rustls-webpki < 0.103.13 (alert #26Denial of service via panic on malformed CRL BIT STRING). Follow-up from PIN-6 / PR #70.

Reaching webpki 0.103.13 required moving the whole TLS tree off rustls 0.22. tonic 0.11 pinned tokio-rustls 0.25 -> rustls 0.22 -> rustls-webpki 0.102; that path is stuck on webpki 0.102 forever. Bumping tonic 0.11 -> 0.12 removes it, putting both the gRPC and reqwest paths on rustls 0.23, which then advances to a version using webpki 0.103.13.

Changes

  • Cargo.toml: tonic 0.11 → 0.12, prost/prost-types 0.12 → 0.13 (required by tonic 0.12), tonic-build 0.11 → 0.12. TLS features unchanged (tls, transport, tls-roots).
  • codegen/proto_build: tonic/tonic-build → 0.12; compile()compile_protos() (0.11 method was deprecated).
  • Regenerated src/protos/ with tonic-build 0.12 (Status::unknown, updated Service trait bounds, prost 0.13 attributes).
  • src/pinecone/data.rs: ClientTlsConfig::default().default().with_native_roots(). Behavioral fix: tonic 0.12 no longer loads trust roots implicitly — an empty root store would fail every TLS handshake with UnknownIssuer. with_native_roots() matches the tls-roots feature.
  • Cargo.lock: single rustls-webpki at 0.103.13; rustls 0.23.41; rustls 0.22 / tokio-rustls 0.25 removed.

Verification

  • cargo build — clean.
  • cargo test --lib66/66 pass (with a dummy PINECONE_API_KEY; the 6 mocked httpmock tests only require a non-empty key).
  • cargo test --no-run — all integration test targets compile.
  • grep rustls-webpki Cargo.lock → exactly one entry, 0.103.13 (≥ patched 0.103.13). Alert Move proto build script to separate binary #26 clears on merge.

⚠️ Live integration tests hit the real API and need a valid PINECONE_API_KEY — not run in this environment. Requesting a reviewer run them (or confirm CI does) before merge.

Acceptance (PIN-14)

Closes PIN-14.

🤖 Generated with Claude Code

…3.13)

Bumps tonic 0.11 -> 0.12 (and required prost 0.12 -> 0.13, tonic-build
0.11 -> 0.12) to move the whole TLS dependency tree onto rustls 0.23 /
tokio-rustls 0.26, then advances rustls to 0.23.41 so rustls-webpki
resolves to 0.103.13.

Previously tonic 0.11 pinned tokio-rustls 0.25 -> rustls 0.22 ->
rustls-webpki 0.102, so a lockfile-only bump could not reach
webpki 0.103.13. Removing the rustls 0.22 path unblocks the update.

Changes:
- Cargo.toml: tonic 0.12, prost/prost-types 0.13, tonic-build 0.12
- codegen/proto_build: tonic/tonic-build 0.12; compile -> compile_protos
- Regenerated src/protos with tonic-build 0.12 (Status::unknown, updated
  Service trait bounds, prost 0.13 attrs)
- data.rs: ClientTlsConfig::default().with_native_roots() — tonic 0.12 no
  longer loads trust roots implicitly, so an empty root store would fail
  every TLS handshake with UnknownIssuer

Verified: cargo build clean; 66/66 lib tests pass (with a dummy
PINECONE_API_KEY for the mocked httpmock tests); all integration test
targets compile. Cargo.lock now pins a single rustls-webpki 0.103.13.
Live integration tests require PINECONE_API_KEY (not run here).

Clears Dependabot alert #26 (rustls-webpki < 0.103.13, high).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jhamon and others added 2 commits July 11, 2026 16:31
…y PR)

- Add #[allow(clippy::result_large_err)] to client() and default_client()
- Remove unneeded return statement in src/utils/user_agent.rs
- Add #[allow(clippy::derivable_impls)] before Default impls in 7 generated openapi model files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The tonic 0.12 upgrade regenerated src/protos/mod.rs with formatting
that rustfmt 1.9 rewrites. Apply cargo fmt to clear the failing Rustfmt
CI check. Formatting-only; no semantic change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant