Released version of tonic_health contains blobs

[weiznich]

Bug Report

Version

tonic_health: 0.12.3

Platform

Unrelated, code is uploaded on crates.io

Crates

Tonic-Health

Description

While reviewing a dependency update for tonic-health I noticed that it contains a binary file: https://diff.rs/tonic-health/0.12.2/0.12.3/src%2Fgenerated%2Fgrpc_health_v1.bin

That is not desirable as it makes reviewing dependencies harder. It also might hide potential attacks.
In this case I believe the blob is just the binary representation of the proto file and that it was accidentally uploaded to crates.io. Please consider to explicitly exclude this file for future updates.

[weiznich]

@tottoto Would it be possible to resolve this, given that this is potential security related?

[tottoto]

While reviewing a dependency update for tonic-health I noticed that it contains a binary file: https://diff.rs/tonic-health/0.12.2/0.12.3/src%2Fgenerated%2Fgrpc_health_v1.bin

The URL seems to show Not found.

In this case I believe the blob is just the binary representation of the proto file and that it was accidentally uploaded to crates.io.

It is used to provide the file descriptor set.

[weiznich]

Thanks for your answer

While reviewing a dependency update for tonic-health I noticed that it contains a binary file: https://diff.rs/tonic-health/0.12.2/0.12.3/src%2Fgenerated%2Fgrpc_health_v1.bin

The URL seems to show Not found.

Seems like something is broken with diff.rs now with this kind of direct links 😞 You can go to https://diff.rs/tonic-health/0.12.2/0.12.3/ and navigate manually to src/generated/grpc_health_v1.bin

It is used to provide the file descriptor set.

Can you point out where exactly it is used. For me it seems like it's just there. Additionally I would argue that it's enough to include the expanded rust code + possibly the proto file. You can always generate the binary file descriptor set from the proto file if required.

[tottoto]

Can you point out where exactly it is used. For me it seems like it's just there.

You can find it at https://github.com/hyperium/tonic/blob/v0.12.3/tonic-health/src/lib.rs#L33. If you think something is not being used, you can actually search the code to see if it is correct.

Additionally I would argue that it's enough to include the expanded rust code + possibly the proto file. You can always generate the binary file descriptor set from the proto file if required.

A similar discussion can be found at #1942. This is something that can be resolved before release, so I don't think the feature should be removed, considering convenience reasons.

Incidentally, the implementation way for this has been changed since the release of 0.12.2 from committing and including it as a file to embedding these bytes data in the Rust code.

[weiznich]

@tottoto I'm sorry to write that but I don't see how this addresses the security concerns around a unreviewable blob. I can see how this might be convenient for certain uses, but it makes it really hard to review and reason about the actual code. By having it actually included in the compiled code that becomes more serve from my point of view