Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Rust crate sqlx to 0.8.1 [SECURITY] #17

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Rust crate sqlx to 0.8.1 [SECURITY] #17

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 24, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
sqlx dependencies minor 0.6.3 -> 0.8.1

GitHub Vulnerability Alerts

GHSA-xmrp-424f-vfpx

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic,
for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint()
can be used for sanity checks, but do not assume that the size returned is accurate.
For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size,
so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Work has started on a branch to add #[deny] directives for the following Clippy lints:

and to manually audit the code that they flag.

A fix is expected to be included in the 0.8.1 release (still WIP as of writing).

Release Notes

launchbadge/sqlx (sqlx)

v0.8.1

Compare Source

16 pull requests were merged this release cycle.

This release contains a fix for RUSTSEC-2024-0363.

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated:
#​3440 (comment)

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

Added
  • [#​3421]: correct spelling of MySqlConnectOptions::no_engine_substitution() [[@​kolinfluence]]
    • Deprecates MySqlConnectOptions::no_engine_subsitution() (oops) in favor of the correctly spelled version.
Changed
  • [#​3376]: doc: hide spec_error module [[@​abonander]]
    • This is a helper module for the macros and was not meant to be exposed.
    • It is not expected to receive any breaking changes for the 0.8.x release, but is not designed as a public API.
      Use at your own risk.
  • [#​3382]: feat: bumped to libsqlite3-sys=0.30.1 to support sqlite 3.46 [[@​CommanderStorm]]
  • [#​3385]: chore(examples):Migrated the pg-chat example to ratatui [[@​CommanderStorm]]
  • [#​3399]: Upgrade to rustls 0.23 [[@​djc]]
    • RusTLS now has pluggable cryptography providers: ring (the existing implementation),
      and aws-lc-rs which has optional FIPS certification.
    • The existing features activating RusTLS (runtime-tokio-rustls, runtime-async-std-rustls, tls-rustls)
      enable the ring provider of RusTLS to match the existing behavior so this should not be a breaking change.
    • Switch to the tls-rustls-aws-lc-rs feature to use the aws-lc-rs provider.
      • If using runtime-tokio-rustls or runtime-async-std-rustls,
        this will necessitate switching to the appropriate non-legacy runtime feature:
        runtime-tokio or runtime-async-std
    • See the RusTLS README for more details: https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers
Fixed

v0.8.0

Compare Source

70 pull requests were merged this release cycle.

#​2697 was merged the same day as release 0.7.4 and so was missed by the automatic CHANGELOG generation.

Breaking
  • [#​2697]: fix(macros): only enable chrono when time is disabled [[@​saiintbrisson]]
  • [#​2973]: Generic Associated Types in Database, replacing HasValueRef, HasArguments, HasStatement [[@​nitn3lav]]
  • [#​2482]: chore: bump syn to 2.0 [[@​saiintbrisson]]
    • Deprecated type ascription syntax in the query macros was removed.
  • [#​2736]: Fix describe on PostgreSQL views with rules [[@​tsing]]
    • Potentially breaking: nullability inference changes for Postgres.
  • [#​2869]: Implement PgHasArrayType for all references [[@​tylerhawkes]]
    • Conflicts with existing manual implementations.
  • [#​2940]: fix: Decode and Encode derives (#​1031) [[@​benluelo]]
    • Changes lifetime obligations for field types.
  • [#​3064]: Sqlite explain graph [[@​tyrelr]]
    • Potentially breaking: nullability inference changes for SQLite.
  • [#​3123]: Reorder attrs in sqlx::test macro [[@​bobozaur]]
    • Potentially breaking: attributes on #[sqlx::test] usages are applied in the correct order now.
  • [#​3126]: Make Encode return a result [[@​FSMaxB]]
  • [#​3130]: Add version information for failed cli migration (#​3129) [[@​FlakM]]
    • Breaking changes to MigrateError.
  • [#​3181]: feat: no tx migration [[@​cleverjam]]
    • (Postgres only) migrations that should not run in a transaction can be flagged by adding -- no-transaction to the beginning.
    • Breaking change: added field to Migration
  • [#​3184]: [BREAKING} fix(sqlite): always use i64 as intermediate when decoding [[@​abonander]]
    • integer decoding will now loudly error on overflow instead of silently truncating.
    • some usages of the query!() macros might change an i32 to an i64.
  • [#​3252]: fix #[derive(sqlx::Type)] in Postgres [[@​abonander]]
    • Manual implementations of PgHasArrayType for enums will conflict with the generated one. Delete the manual impl or add #[sqlx(no_pg_array)] where conflicts occur.
    • Type equality for PgTypeInfo is now schema-aware.
  • [#​3329]: fix: correct handling of arrays of custom types in Postgres [[@​abonander]]
    • Potential breaking change: PgTypeInfo::with_name() infers types that start with _ to be arrays of the un-prefixed type. Wrap type names in quotes to bypass this behavior.
  • [#​3356]: breaking: fix name collision in FromRow, return Error::ColumnDecode for TryFrom errors [[@​abonander]]
    • Breaking behavior change: errors with #[sqlx(try_from = "T")] now return Error::ColumnDecode instead of Error::ColumnNotFound.
    • Breaking because #[sqlx(default)] on an individual field or the struct itself would have previously suppressed the error.
      This doesn't seem like good behavior as it could result in some potentially very difficult bugs.
      • Instead, create a wrapper implementing From and apply the default explicitly.
  • [#​3337]: allow rename with rename_all (close #​2896) [[@​DirectorX]]
    • Changes the precedence of #[sqlx(rename)] and #[sqlx(rename_all)] to match the expected behavior (rename wins).
  • [#​3285]: fix: use correct names for sslmode options [[@​lily-mosquitoes]]
    • Changes the output of ConnectOptions::to_url_lossy() to match what parsing expects.
Added
Changed
Fixed

v0.7.4

Compare Source

38 pull requests were merged this release cycle.

This is officially the last release of the 0.7.x release cycle.

As of this release, development of 0.8.0 has begun on main and only high-priority bugfixes may be backported.

Added
  • [#​2891]: feat: expose getters for connect options fields [[@​saiintbrisson]]
  • [#​2902]: feat: add to_url_lossy to connect options [[@​lily-mosquitoes]]
  • [#​2927]: Support query! for cargo-free systems [[@​kshramt]]
  • [#​2997]: doc(FAQ): add entry explaining prepared statements [[@​abonander]]
  • [#​3001]: Update README to clarify MariaDB support [[@​iangilfillan]]
  • [#​3004]: feat(logging): Add numeric elapsed time field elapsed_secs [[@​iamjpotts]]
  • [#​3007]: feat: add raw_sql API [[@​abonander]]
    • This hopefully makes it easier to find how to execute statements which are not supported by the default
      prepared statement interfaces query*() and query!().
    • Improved documentation across the board for the query*() functions.
    • Deprecated: execute_many() and fetch_many() on interfaces that use prepared statements.
      • Multiple SQL statements in one query string were only supported by SQLite because its prepared statement
        interface is the only way to execute SQL. All other database flavors forbid multiple statements in
        one prepared statement string as an extra defense against SQL injection.
      • The new raw_sql API retains this functionality because it explicitly does not use prepared statements.
        Raw or text-mode query interfaces generally allow multiple statements in one query string, and this is
        supported by all current databases. Due to their nature, however, one cannot use bind parameters with them.
      • If this change affects you, an issue is open for discussion: https://github.com/launchbadge/sqlx/issues/3108
  • [#​3011]: Added support to IpAddr with MySQL/MariaDB. [[@​Icerath]]
  • [#​3013]: Add default implementation for PgInterval [[@​pawurb]]
  • [#​3018]: Add default implementation for PgMoney [[@​pawurb]]
  • [#​3026]: Update docs to reflect support for MariaDB data types [[@​iangilfillan]]
  • [#​3037]: feat(mysql): allow to connect with mysql driver without default behavor [[@​darkecho731]]
Changed
Fixed

v0.7.3

38 pull requests were merged this release cycle.

Added
Changed
Fixed

v0.7.2

23 pull requests were merged this release cycle.

Added
Changed
Fixed

v0.7.1

Compare Source

This release mainly addresses issues reported with the 0.7.0 release.

16 pull requests were merged this release cycle.

Added
  • [#​2551]: Introduce build_query_scalar for QueryBuilder [[@​iamquang95]]
  • [#​2605]: Implement Default for QueryBuilder [[@​Xydez]]
  • [#​2616]: feat(sqlx-core): add table function to database error [[@​saiintbrisson]]
  • [#​2619]: feat: allow opt-out of PgHasArrayType with #[derive(sqlx::Type)] [[@​abonander]]
    • TL;DR: if you're getting errors from #[derive(sqlx::Type)] with #[sqlx(transparent)]
      regarding PgHasArrayType not being implemented, add #[sqlx(no_pg_array)] to fix.
Changed
Fixed

v0.7.0

Compare Source

At least 70 pull requests were merged this release cycle! (The exact count is muddied with pull requests for alpha
releases and such.) And we gained 43 new contributors! Thank you to everyone who helped make this release a reality.

Breaking

Many revisions were made to query analysis in the SQLite driver; these are all potentially breaking changes
as they can change the output of sqlx::query!() et al. We'd like to thank [[@​tyrelr]] for their numerous PRs to
this area.

The MSSQL driver has been removed as it was not nearly at the same maturity level as the other drivers.
[As previously announced][sqlx-pro], we have plans to introduce a fully featured replacement as a premium offering,
alongside drivers for other proprietary databases, with the goal to support full-time development on SQLx.

If interested, please email your inquiry to [email protected].

The offline mode for the queries has been changed to use a separate file per query!() invocation,
which is intended to reduce the number of conflicts when merging branches in a project that both modified queries.
This means that CLI flag --merged is no longer supported. See [[#​2363]] for details and make sure that your
sqlx-cli version is in sync with the sqlx version in your project.

The type ascription override syntax for the query macros has been deprecated,
as parse support for it has been removed in syn 2.0, which we'll be upgrading to in the next breaking release.
This can be replaced with type overrides using casting syntax (as).
See [[#​2483]] for details.

  • [[#​1946]]: Fix compile time verification performance regression for sqlite [[@​liningpan]]
  • [[#​1960]]: Fix sqlite update return and order by type inference [[@​tyrelr]]
  • [[#​1984]]: Sqlite EXPLAIN type inference improvements [[@​rongcuid]]
  • [[#​2039]]: Break drivers out into separate crates, clean up some technical debt [[@​abonander]]
    • All deprecated items have been removed.
    • The mssql feature and associated database driver has been deleted from the source tree. It will return as part of our planned SQLx Pro offering as a from-scratch rewrite with extra features (such as TLS) and type integrations that were previously missing.
    • The runtime-actix-* features have been deleted. They were previously changed to be aliases of their runtime-tokio-* counterparts for backwards compatibility reasons, but their continued existence is misleading as SQLx has no special knowledge of Actix anymore.
      • To fix, simply replace the runtime-actix-* feature with its runtime-tokio-* equivalent.
    • The git2 feature has been removed. This was a requested integration from a while ago that over time made less and less sense to be part of SQLx itself. We have to be careful with the crates we add to our public API as each one introduces yet another semver hazard. The expected replacement is to make #[derive(sqlx::Type)] useful enough that users can write wrapper types for whatever they want to use without SQLx needing to be specifically aware of it.
    • The Executor impls for Transaction and PoolConnection have been deleted because they cannot exist in the new crate architecture without rewriting the Executor trait entirely.
      • To fix this breakage, simply add a dereference where an impl Executor is expected, as they both dereference to the inner connection type which will still implement it:
        • &mut transaction -> &mut *transaction
        • &mut connection -> &mut *connection
      • These cannot be blanket impls as it triggers an overflow in the compiler due to the lack of lazy normalization, and
        the driver crates cannot provide their own impls due to the orphan rule.
      • We're expecting to do another major refactor of traits to incorporate generic associated types (GAT).
        This will mean another major release of SQLx but ideally most API usage will not need to change significantly, if at all.
    • The fields of Migrator are now #[doc(hidden)] and semver-exempt; they weren't meant to be public.
    • The offline feature has been removed from the sqlx facade crate and is enabled unconditionally as most users are expected to have enabled it anyway and disabling it doesn't seem to appreciably affect compile times.
    • The decimal feature has been renamed to rust_decimal to match the crate it actually provides integrations for.
    • AnyDriver and AnyConnection now require either sqlx::any::install_drivers() or sqlx::any::install_default_drivers() to be called at some point during the process' lifetime before the first connection is made, as the set of possible drivers is now determined at runtime. This was determined to be the least painful way to provide knowledge of database drivers to Any without them being hardcoded.
    • The AnyEncode trait has been removed.
  • [[#​2109]]: feat: better database errors [[@​saiintbrisson]]
  • [[#​2094]]: Update libsqlite3-sys to 0.25.1 [[@​penberg]]
    • Alongside this upgrade, we are now considering the linkage to libsqlite3-sys to be semver-exempt,
      and we reserve the right to upgrade it as necessary. If you are using libsqlite3-sys directly or a crate that
      links it such as rusqlite, you should pin the versions of both crates to avoid breakages from cargo update:
[dependencies]
sqlx = { version = "=0.7.0", features = ["sqlite"] }
rusqlite = "=0.29.0"
  • [[#​2132]]: fix: use owned Builder pattern for ConnectOptions [[@​ar3s3ru]]
  • [[#​2253]]: Sqlite describe fixes [[@​tyrelr]]
  • [[#​2285]]: time: Assume UTC when decoding a

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants