Skip to content

fix(facts): quick-xml 0.37→0.41, close RUSTSEC-2026-0194/-0195 (v0.12.1)#25

Merged
fastrevmd-lab merged 1 commit into
mainfrom
fix/quickxml-0.41-rustsec
Jul 2, 2026
Merged

fix(facts): quick-xml 0.37→0.41, close RUSTSEC-2026-0194/-0195 (v0.12.1)#25
fastrevmd-lab merged 1 commit into
mainfrom
fix/quickxml-0.41-rustsec

Conversation

@fastrevmd-lab

Copy link
Copy Markdown
Owner

Closes #24.

What

Migrates quick-xml 0.370.41 to close RUSTSEC-2026-0194 (quadratic duplicate-attribute scan) and RUSTSEC-2026-0195 (unbounded namespace-declaration allocation / DoS). Mirrors the completed rustnetconf 0.12.3 migration.

The one behavioral change that mattered

quick-xml 0.38 removed BytesText::unescape() and added Event::GeneralRef: entity refs (&, <, &) no longer arrive inside Text events. A naive unescape()decode() rename compiles but silently truncates any value containing an entity.

Fix: new facts/xml_entity.rs helper (resolve_entity_ref / raw_entity_ref); the 4 fact-parser loops now accumulate Text + resolve GeneralRef and flush on the closing tag. unwrap_multi_re keeps entities verbatim in reconstructed per-RE XML (re-parsed downstream) and resolves them for leaf re-name values.

Codex code review

Confirmed the 4 loops correct (no truncation, buffers cleared, entities verbatim). Flagged + fixed one Medium (unescaped reconstructed attribute-value quotes). Two Lows (CDATA capture, unknown-entity drop) are pre-existing non-regressions matching old unescape() behavior.

Verification

  • cargo test -p rustez → 52 passed (4 new &/< round-trip tests)
  • cargo clippy clean, cargo check --workspace clean
  • cargo audit → RUSTSEC-2026-0194/-0195 cleared
  • scripts/check_versions.py → all three manifests agree on 0.12.1

Release

Bumps rustez, rustez-py (crate + pyproject) to 0.12.1, MSRV 1.75→1.79, rustnetconf 0.12→0.12.3, CHANGELOG updated. Unblocks RustJunosMCP#103.

🤖 Generated with Claude Code

https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant

Entity refs no longer arrive inside Text events (quick-xml 0.38 GeneralRef);
rework the 4 fact-parser loops (facts/mod.rs, chassis, software, routing_engine)
to accumulate Text+GeneralRef and flush on the closing tag, so Junos values
containing &/</> aren't silently truncated. Add xml_entity helper + entity
round-trip tests. Harden unwrap_multi_re attribute-value quote escaping
(codex review finding). Bump rustnetconf 0.12→0.12.3, MSRV 1.75→1.79.

Release 0.12.1: bump all three manifests + CHANGELOG.

Closes #24.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant
@fastrevmd-lab fastrevmd-lab merged commit 5083adf into main Jul 2, 2026
1 check passed
@fastrevmd-lab fastrevmd-lab deleted the fix/quickxml-0.41-rustsec branch July 2, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: upgrade quick-xml 0.37 → 0.41 (RUSTSEC-2026-0194 / -0195 DoS)

1 participant