GHSA-gfgm-chr3-x6px: prettytable-rs: Force cast a &Vec<T> to &[T] may lead to undefined behavior

December 30, 2022

In function Table::as_ref, a reference of vector is force cast to slice. There are multiple problems here:

To guarantee the size is correct, we have to first do Vec::shrink_to_fit. The function requires a mutable reference, so we have to force cast from immutable to mutable, which is undefined behavior (UB).
Even if (1) is sound, &Vec<T> and &[T] still might not have the same layout. Treating them equally may lead to undefinted behavior (UB).

References

github.com/advisories/GHSA-gfgm-chr3-x6px
github.com/phsym/prettytable-rs
github.com/phsym/prettytable-rs/issues/145
rustsec.org/advisories/RUSTSEC-2022-0074.html

Code Behaviors & Features

Detect and mitigate GHSA-gfgm-chr3-x6px with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →