fix(facts): quick-xml 0.37→0.41, close RUSTSEC-2026-0194/-0195 (v0.12.1)#25
Merged
Conversation
Entity refs no longer arrive inside Text events (quick-xml 0.38 GeneralRef); rework the 4 fact-parser loops (facts/mod.rs, chassis, software, routing_engine) to accumulate Text+GeneralRef and flush on the closing tag, so Junos values containing &/</> aren't silently truncated. Add xml_entity helper + entity round-trip tests. Harden unwrap_multi_re attribute-value quote escaping (codex review finding). Bump rustnetconf 0.12→0.12.3, MSRV 1.75→1.79. Release 0.12.1: bump all three manifests + CHANGELOG. Closes #24. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #24.
What
Migrates
quick-xml0.37→0.41to close RUSTSEC-2026-0194 (quadratic duplicate-attribute scan) and RUSTSEC-2026-0195 (unbounded namespace-declaration allocation / DoS). Mirrors the completed rustnetconf 0.12.3 migration.The one behavioral change that mattered
quick-xml 0.38 removed
BytesText::unescape()and addedEvent::GeneralRef: entity refs (&,<,&) no longer arrive insideTextevents. A naiveunescape()→decode()rename compiles but silently truncates any value containing an entity.Fix: new
facts/xml_entity.rshelper (resolve_entity_ref/raw_entity_ref); the 4 fact-parser loops now accumulateText+ resolveGeneralRefand flush on the closing tag.unwrap_multi_rekeeps entities verbatim in reconstructed per-RE XML (re-parsed downstream) and resolves them for leafre-namevalues.Codex code review
Confirmed the 4 loops correct (no truncation, buffers cleared, entities verbatim). Flagged + fixed one Medium (unescaped reconstructed attribute-value quotes). Two Lows (CDATA capture, unknown-entity drop) are pre-existing non-regressions matching old
unescape()behavior.Verification
cargo test -p rustez→ 52 passed (4 new&/<round-trip tests)cargo clippyclean,cargo check --workspacecleancargo audit→ RUSTSEC-2026-0194/-0195 clearedscripts/check_versions.py→ all three manifests agree on 0.12.1Release
Bumps
rustez,rustez-py(crate + pyproject) to 0.12.1, MSRV 1.75→1.79, rustnetconf 0.12→0.12.3, CHANGELOG updated. Unblocks RustJunosMCP#103.🤖 Generated with Claude Code
https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant