qdrant: 1.7.4 -> 1.9.0 (94cf7253) · Commits · nix / nixpkgs

pkgs/servers/search/qdrant/1.7.4-CVE-2024-3078.patch

deleted100644 → 0

+0 −142

Original line number	Diff line number	Diff line
		Based on upstream 3ab5172e9c8f14fa1f7b24e7147eac74e2412b62 with minor
		adjustments to apply to 1.7.4

		diff --git a/lib/collection/src/collection/snapshots.rs b/lib/collection/src/collection/snapshots.rs
		index e5a8be9c..ca48fb9e 100644
		--- a/lib/collection/src/collection/snapshots.rs
		+++ b/lib/collection/src/collection/snapshots.rs
		@@ -241,35 +241,35 @@ impl Collection {
		.await
		}

		+ /// Get full file path for a collection snapshot by name
		+ ///
		+ /// This enforces the file to be inside the snapshots directory
		pub async fn get_snapshot_path(&self, snapshot_name: &str) -> CollectionResult<PathBuf> {
		- let snapshot_path = self.snapshots_path.join(snapshot_name);
		-
		- let absolute_snapshot_path =
		- snapshot_path
		- .canonicalize()
		- .map_err(\|_\| CollectionError::NotFound {
		- what: format!("Snapshot {snapshot_name}"),
		- })?;
		-
		- let absolute_snapshot_dir =
		- self.snapshots_path
		- .canonicalize()
		- .map_err(\|_\| CollectionError::NotFound {
		- what: format!("Snapshot directory: {}", self.snapshots_path.display()),
		- })?;
		+ let absolute_snapshot_dir = self.snapshots_path.canonicalize().map_err(\|_\| {
		+ CollectionError::not_found(format!(
		+ "Snapshot directory: {}",
		+ self.snapshots_path.display()
		+ ))
		+ })?;
		+
		+ let absolute_snapshot_path = absolute_snapshot_dir
		+ .join(snapshot_name)
		+ .canonicalize()
		+ .map_err(\|_\| CollectionError::not_found(format!("Snapshot {snapshot_name}")))?;

		if !absolute_snapshot_path.starts_with(absolute_snapshot_dir) {
		- return Err(CollectionError::NotFound {
		- what: format!("Snapshot {snapshot_name}"),
		- });
		+ return Err(CollectionError::not_found(format!(
		+ "Snapshot {snapshot_name}"
		+ )));
		}

		- if !snapshot_path.exists() {
		- return Err(CollectionError::NotFound {
		- what: format!("Snapshot {snapshot_name}"),
		- });
		+ if !absolute_snapshot_path.exists() {
		+ return Err(CollectionError::not_found(format!(
		+ "Snapshot {snapshot_name}"
		+ )));
		}
		- Ok(snapshot_path)
		+
		+ Ok(absolute_snapshot_path)
		}

		pub async fn list_shard_snapshots(
		diff --git a/lib/collection/src/operations/types.rs b/lib/collection/src/operations/types.rs
		index afc38d0f..63eae16e 100644
		--- a/lib/collection/src/operations/types.rs
		+++ b/lib/collection/src/operations/types.rs
		@@ -906,6 +906,10 @@ impl CollectionError {
		CollectionError::BadInput { description }
		}

		+ pub fn not_found(what: impl Into<String>) -> CollectionError {
		+ CollectionError::NotFound { what: what.into() }
		+ }
		+
		pub fn bad_request(description: String) -> CollectionError {
		CollectionError::BadRequest { description }
		}
		diff --git a/lib/storage/src/content_manager/errors.rs b/lib/storage/src/content_manager/errors.rs
		index 1ad8d413..4528e485 100644
		--- a/lib/storage/src/content_manager/errors.rs
		+++ b/lib/storage/src/content_manager/errors.rs
		@@ -46,6 +46,12 @@ impl StorageError {
		}
		}

		+ pub fn not_found(description: impl Into<String>) -> StorageError {
		+ StorageError::NotFound {
		+ description: description.into(),
		+ }
		+ }
		+
		/// Used to override the `description` field of the resulting `StorageError`
		pub fn from_inconsistent_shard_failure(
		err: CollectionError,
		diff --git a/lib/storage/src/content_manager/snapshots/mod.rs b/lib/storage/src/content_manager/snapshots/mod.rs
		index 8a417377..9965006a 100644
		--- a/lib/storage/src/content_manager/snapshots/mod.rs
		+++ b/lib/storage/src/content_manager/snapshots/mod.rs
		@@ -24,17 +24,33 @@ pub struct SnapshotConfig {
		pub collections_aliases: HashMap<String, String>,
		}

		+/// Get full file path for a full snapshot by name
		+///
		+/// This enforces the file to be inside the snapshots directory
		pub async fn get_full_snapshot_path(
		toc: &TableOfContent,
		snapshot_name: &str,
		) -> Result<PathBuf, StorageError> {
		- let snapshot_path = Path::new(toc.snapshots_path()).join(snapshot_name);
		- if !snapshot_path.exists() {
		- return Err(StorageError::NotFound {
		- description: format!("Full storage snapshot {snapshot_name} not found"),
		- });
		+ let snapshots_path = toc.snapshots_path();
		+
		+ let absolute_snapshot_dir = Path::new(snapshots_path)
		+ .canonicalize()
		+ .map_err(\|_\| StorageError::not_found(format!("Snapshot directory: {snapshots_path}")))?;
		+
		+ let absolute_snapshot_path = absolute_snapshot_dir
		+ .join(snapshot_name)
		+ .canonicalize()
		+ .map_err(\|_\| StorageError::not_found(format!("Snapshot {snapshot_name}")))?;
		+
		+ if !absolute_snapshot_path.starts_with(absolute_snapshot_dir) {
		+ return Err(StorageError::not_found(format!("Snapshot {snapshot_name}")));
		}
		- Ok(snapshot_path)
		+
		+ if !absolute_snapshot_path.exists() {
		+ return Err(StorageError::not_found(format!("Snapshot {snapshot_name}")));
		+ }
		+
		+ Ok(absolute_snapshot_path)
		}

		pub async fn do_delete_full_snapshot(

pkgs/servers/search/qdrant/Cargo.lock

+1133 −532

File changed.

Preview size limit exceeded, changes collapsed.

pkgs/servers/search/qdrant/default.nix

+4 −8

Original line number	Diff line number	Diff line
		@@ -13,25 +13,21 @@

		rustPlatform.buildRustPackage rec {
		pname = "qdrant";
		version = "1.7.4";
		version = "1.9.0";

		src = fetchFromGitHub {
		owner = "qdrant";
		repo = "qdrant";
		rev = "refs/tags/v${version}";
		sha256 = "sha256-BgsLmE50mGmB5fcUjov8wcAHRTKMYaoyoXjSUyIddlc=";
		sha256 = "sha256-SirqQW/OxFvsyra80znSDakHwFjHk2YkpAaNwXnbK60=";
		};

		patches = [
		./1.7.4-CVE-2024-3078.patch
		];

		cargoLock = {
		lockFile = ./Cargo.lock;
		outputHashes = {
		"quantization-0.1.0" = "sha256-ggVqJiftu0nvyEM0dzsH0JqIc/Z1XILyUSKiJHeuuZs=";
		"quantization-0.1.0" = "sha256-BofK1X06efESoxVJmlCY5D3toFmo2ZkKNz11ot2imIs=";
		"tonic-0.9.2" = "sha256-ZlcDUZy/FhxcgZE7DtYhAubOq8DMSO17T+TCmXar1jE=";
		"wal-0.1.2" = "sha256-nBGwpphtj+WBwL9TmWk7qXiEqlIWkgh/2V9uProqhMk=";
		"wal-0.1.2" = "sha256-YjOXYg8dnYsb+Zl6xUkAccjZZn3tyf3fR/kWTfUjlgg=";
		};
		};