Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update rust crate diesel to v2 [security] #202

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 23, 2024

This PR contains the following updates:

Package Type Update Change
diesel (source) dependencies major 1.4.8 -> 2.0.0

GitHub Vulnerability Alerts

GHSA-wq9x-qwcq-mmgf

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)
Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears Diesel does perform truncating casts in a way that could be problematic,
for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.

Mitigation

The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Diesel now uses #[deny] directives for the following Clippy lints:

to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.

A fix is included in the 2.2.3 release.


Release Notes

diesel-rs/diesel (diesel)

v2.2.3: Diesel 2.2.3

Compare Source

  • Support for libsqlite3-sys 0.30.0
  • Fixed a possible vulnerability in how Diesel handled protocol level bind parameters.
    See the SQL Injection isn't Dead: Smuggling Queries at Protocol Level presentation from DEF CON for details
  • Fixed an issue with a possibly ambiguous trait resolution in #[derive(QueryableByName)]

You can support the development of diesel by contributions or by sponsoring the project on Github.

Full Changelog: diesel-rs/diesel@v2.2.2...v2.2.3

v2.2.2

Compare Source

Fixed
  • Support for libsqlite3-sys 0.29.0
  • Fixed a potential panic in the sqlite cursor implementation
  • Fixed support for rust numeric operators with columns of the type Numeric
  • Removed the SerializedDatabase::new function due to unsoundness

v2.2.1

Compare Source

v2.2.0

Compare Source

Added
  • Support [print_schema] except_custom_type_definitions = ["Vector"]. If a custom type matches one element on the list it's skipped.
  • Added automatic usage of all sqlite rowid aliases when no explicit primary key is defined for print-schema
  • Added a #[dsl::auto_type] attribute macro, allowing to infer type of query fragment functions
  • Added the same type inference on Selectable derives, which allows skipping specifying select_expression_type most of the time, in turn enabling most queries to be written using just a Selectable derive.
  • Added an optional #[diesel(skip_insertion)] field attribute to the Insertable derive macro, allowing fields which map to generated columns to be skipped during insertion.
  • Support for connection instrumentation. This allows to inspect any query run by your application
  • Logging in diesel-cli
  • Support for libsqlite3-sys 0.28
  • Add sqlite-integer-primary-key-is-bigint configuration option, usable with SQLite 3.37 or above, allowing to use BigInt for INTEGER PRIMARY KEY columns in SQLite for tables without the WITHOUT ROWID attribute (SQLite doc).
  • Support for multiple print_schema entry in diesel.toml (e.g. [print_schema.user1]), which allows generating multiple schema.rs files
  • Add support for COPY TO and COPY FROM statements
  • Add support for mapping chrono::Duration to postgresql's INTERVAL sql type
  • Added serialize_database_to_buffer and deserialize_readonly_database_from_buffer methods in SqliteConnection to support serialization/deserialization of SQLite databases to and from byte buffers.
  • Added SerializedDatabase wrapper type for a serialized database that is dynamically allocated by calling serialize_database_to_buffer. This RAII wrapper deallocates the memory when it goes out of scope with sqlite3_free.
Changed
  • The minimal officially supported rustc version is now 1.78.0
  • Deprecated sql_function! in favour of define_sql_function! which provides compatibility with #[dsl::auto_type]
  • Deserialization error messages now contain information about the field that failed to deserialize

v2.1.6

Compare Source

  • Fix using BoxableExpression with having clauses
  • Fix using numeric expressions with aliased fields
  • Minor documentation fixes

v2.1.5

Compare Source

  • Fix impl SqlOrd postgres > postgres_backend feature flag.
  • Allow Queryable to be used with multiple table names.
  • Fix an inconsistent unit test
  • Fix a clippy lint
  • Fix ./bin/test feature flag calls.
  • Update libsqlite3-sys to allow version 0.28 as well

v2.1.4

Compare Source

  • Update libsqlite3-sys to allow version 0.27 as well

v2.1.3

Compare Source

  • Increased accidently decreased limit around element count in DISTINCT ON and ORDER BY clauses again as that broke existing code

v2.1.2

Compare Source

v2.1.1

Compare Source

v2.1.0

Compare Source

Changed
  • The minimal officially supported rustc version is now 1.65.0
Added
  • Added the custom_type_derives config option to customize the derives for SQL
    type definitions automatically generated by Diesel CLI.
  • Add a #[derive(MultiConnection)] proc-macro that lets you easily implement diesel::Connection
    for an enum of connections to different database backends.
  • Added a --diff-schema flag to the diesel migration generate command that generates a migration based
    on the difference between your database and the provided schema.rs file
  • Add a ON CONFLICT (...) DO UPDATE ... [WHERE ...] conditional clause support for PostgreSQL.
  • Add support for MySQL's ON DUPLICATE KEY DO UPDATE syntax through the existing upsert functions.
  • Add ability to define multiple columns in a single distinct_on for PostgreSQL,
    like: .distinct_on((column_a, column_b)).
  • Added column size restrictions to the generated schema.rs file

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

Fixed
  • Fixed an issue with diesel_cli generating incompatible type names for the generate_missing_sql_type_definitions feature on PostgreSQL
  • Fixed an issue how diesel_cli handles sqlite urls while checking if a given database exists
  • Fixed an issue with PgConnection becoming unusable after hitting a database error in certain situations
  • Fixed an issue with diesel generating invalid SQL for certain INSERT … ON CONFLICT queries
  • Fixed diesel_derives generating code that triggers the disabled by default unused_qualifications lint

v2.0.0

Compare Source

Added
  • MysqlConnection::establish is able to initiate an SSL connection while specifying certificate roots. The database URL should contain an ssl_ca parameter with a path pointing to the certificate roots. See docs if desired.

  • MysqlConnection::establish is able to initiate an SSL connection. The database URL should contain ssl_mode parameter with a value of the MySQL client command option --ssl-mode if desired.

  • Connection and SimpleConnection traits are implemented for a broader range
    of r2d2::PooledConnection<M> types when the r2d2 feature is enabled.

  • Added DatabaseErrorKind::ReadOnlyTransaction to allow applications to
    handle errors caused by writing when only allowed to read.

  • All expression methods can now be called on expressions of nullable types.

  • Added BoxedSqlQuery. This allows users to do a variable amount of .sql or
    .bind calls without changing the underlying type.

  • Added .sql to SqlQuery and UncheckedBind to allow appending SQL code to
    an existing query.

  • The MacAddr SQL type can now be used without enabling the network-address
    feature.

  • Added support for SQLite's UPSERT.
    You can use this feature above SQLite version 3.24.0.

  • Added ability to create custom aggregate functions in SQLite.

  • Multiple aggregate expressions can now appear together in the same select
    clause. See the upgrade notes for details.

  • ValidGrouping has been added to represent whether an expression is valid for
    a given group by clause, and whether or not it's aggregate. It replaces the
    functionality of NonAggregate. See the upgrade
    notes
    for details.

  • It is now possible to inspect the type of values returned from the database
    in such a way to support constructing a dynamic value depending on this type.

  • Added a without-deprecated feature that unconditionally disables deprecated items.
    Use this feature flag to verify that none of your dependencies is setting
    the with-deprecated flag internally.

  • Added support for PostgreSQL's SIMILAR TO and NOT SIMILAR TO.

  • Added #[diesel(serialize_as)] analogous to #[diesel(deserialize_as)]. This allows
    customization of the serialization behaviour of Insertable and AsChangeset structs.

  • Added support for GROUP BY clauses

  • Added support for UNION, UNION ALL, INTERSECT, INTERSECT ALL, EXCEPT, EXCEPT ALL clauses

  • Added the error position for PostgreSQL errors

  • Added ability to create custom collation functions in SQLite.

  • Added support for SQLite's IS and IS NOT.

  • Add support for HAVING clauses.

  • Added support for SQL functions without arguments for SQLite.

  • Diesel CLI will now generate SQL type definitions for SQL types that are not supported by diesel out of the box. It's possible to disable this behavior via the generate_missing_sql_type_definitions config option.

  • Added an option to #[derive(Insertable)] that let you insert NULL values instead of DEFAULT values for Option<T>

  • Added support for all the derive attributes being inside #[diesel(...)]

  • Added support for RETURNING expressions for Sqlite via the returning_clauses_for_sqlite_3_35 feature

  • Added support for table aliasing via the alias! macro

  • Added support for the usage of slices of references with belonging_to from BelongingToDsl

  • Added support for updating individual array elements UPDATE table SET array_column[1] = true

  • Adds an ipnet-address feature flag, allowing support (de)serializing IP
    values from the database using types provided by ipnet. This feature
    may be enabled concurrently with the previously existing network-address
    feature.

  • We've added support for loading values using libpq's row-by-row mode via
    the new iterator interface

  • Adds Timestamp, Timestamptz support for appropriate types for time v0.3.9.
    This feature enables using the time crate as an alternative to chrono.

Removed
  • All previously deprecated items have been removed.
  • Support for uuid version < 0.7.0 has been removed.
  • Support for bigdecimal < 0.0.13 has been removed.
  • Support for pq-sys < 0.4.0 has been removed.
  • Support for mysqlclient-sys < 0.2.5 has been removed.
  • Support for time (0.1) types has been removed.
  • Support for chrono < 0.4.19 has been removed.
  • The minimal supported version of libsqlite3-sys is now 0.17.2.
  • The NonNull trait for sql types has been removed in favour of the new SqlType trait.
  • no_arg_sql_function! has been deprecated without replacement.
    [sql_function!][sql-function-2-0-0] can now be used for functions with zero
    arguments. See the migration guide for more details.
  • Support for barrel based migrations has been removed for now. We are happy to
    add this support back as soon as barrel integrates with our new migration framework.
  • The deprecated bash completions command (diesel bash-completions) has been removed.
    Use diesel completions <shell> instead.
Changed
  • The minimal officially supported rustc version is now 1.56.0

  • Interacting with a database requires a mutable connection.

  • The way the Backend trait handles its RawValue type has
    been changed to allow non-references. Users of this type (e.g. code written
    &DB::RawValue or &<DB as Backend>::RawValue>) should use
    backend::RawValue<DB> instead. Implementors of Backend
    should check the relevant section of the migration guide.

  • The type metadata for MySQL has been changed to include sign information. If
    you are implementing HasSqlType for Mysql manually, you may need to adjust
    your implementation to fully use the new unsigned variants in MysqlType

  • The RawValue types for the Mysql and Postgresql backend where changed
    from [u8] to distinct opaque types. If you used the concrete RawValue type
    somewhere you need to change it to mysql::MysqlValue or pg::PgValue.

  • The uuidv07 feature was renamed to uuid, due to the removal of support for older uuid versions

  • Boxed queries (constructed from .into_boxed()) are now Send.

  • The handling of mixed aggregate values is more robust. Invalid queries such as
    .select(max(id) + other_column) are now correctly rejected, and valid
    queries such as .select((count_star(), max(other_column))) are now correctly
    accepted. For more details, see the migration guide.

  • NonAggregate is now a trait alias for ValidGrouping<()> for expressions
    that are not aggregate. On stable this is a normal trait with a blanket impl,
    but it should never be implemented directly. With the unstable feature, it
    will use trait aliases which prevent manual implementations.

    Due to language limitations, we cannot make the new trait alias by itself
    represent everything it used to, so in some rare cases code changes may be
    required. See the migration guide for details.

  • Various __NonExhaustive variants in different (error-) enums are replaced with
    #[non_exhaustive]. If you matched on one of those variants explicitly you need to
    introduce a wild card match instead.

  • FromSql::from_sql is changed to construct value from non nullable database values.
    To construct a rust value for nullable values use the new FromSql::from_nullable_sql
    method instead.

  • Custom sql types are now required to implement the new SqlType trait. Diesel will
    automatically create implementations of that trait for all types having a #[derive(SqlType)]

  • The workflow for manually implementing support custom types has changed. Implementing
    FromSqlRow<ST, DB> is not required anymore, as this is now implied by implementing
    FromSql<ST, DB>. The requirement of implementing Queryable<ST, DB> remains
    unchanged. For types using #[derive(FromSqlRow)] no changes are required as the
    derive automatically generates the correct code

  • The structure of our deserialization trait has changed. Loading values from the database
    requires now that the result type implements FromSqlRow<ST, DB>. Diesel provides wild
    card implementations for types implementing Queryable<ST, DB> or QueryableByName<DB>
    so non generic code does not require any change. For generic code you likely need to
    replace a trait bound on Queryable<ST, DB> with a trait bound on FromSqlRow<ST, DB>
    and a bound to QueryableByName<DB> with FromSqlRow<Untyped, DB>.

  • CLI flags of only-tables and except-tables are now interpreted as regular expressions.
    Similarly, only_tables and except_tables in diesel.toml are treated as regular expressions.

  • Now you can sort column fields by name with the column-sorting option.
    It can be set to either ordinal_position (default) or name.
    This ensures stable sorting even if columns are removed and re-added.

  • The Queryable<ST,DB> trait was updated to be made faillible, in order to properly handle
    cases where you detect a data inconsistency between fields on deserialization
    (that e.g. was supposed to be made impossible by DB CHECKs). The build function now
    returns a
    diesel::deserialize::Result<Self>
    instead of a Self.

  • TypeMetadata::MetadataLookup is now ?Sized.

  • Multiple implementations of Connection<Backend=Pg> are now possible
    because of the new PgMetadataLookup trait.

  • For the Pg backend, TypeMetadata::MetadataLookup has changed to dyn PgMetadataLookup.

  • Diesel's migration framework was rewritten from the ground. Existing migrations continue to
    be compatible with the rewrite, but code calling into diesel_migrations requires an update.
    See the migration guide for details.

  • eq_any() now emits a = ANY() expression for the postgresql backend instead of IN()

  • ne_all() now emits a != ALL() expression for the postgresql backend instead of NOT IN()

  • The sqlite backend now uses a single batch insert statement if there are now default values present
    in the values clause

  • The MySQL connection is using the CLIENT_FOUND_ROWS from now on. This means that updating rows without changing any values will return the number of matched rows (like most other SQL servers do), as opposed to the number of changed rows.

  • The definition of ToSql::to_sql and QueryFragment::walk_ast has changed to allow serializing values without
    copying the value itself. This is useful for database backends like sqlite where you can directly share a buffer
    with the database. Beside of the changed signature, existing impls of this trait should remain unchanged in almost
    all cases.

  • The PIPES_AS_CONCAT sql_mode is no longer set
    by default. This setting requires a modification to MySQL query parsing that is
    not supported by certain systems (such as Vitess). If you are using MySQL and
    executing raw queries with the || operator, you will need to rewrite your
    queries or set PIPES_AS_CONCAT manually.

Fixed
  • Many types were incorrectly considered non-aggregate when they should not
    have been. All types in Diesel are now correctly only considered
    non-aggregate if their parts are.

  • Offset clauses without limit clauses resulted into invalid sql using the mysql or
    sqlite backend. Both do not support such clauses without a preceding limit clause.
    For those backend Diesel does now generate a fake limit clause in case no explicit
    limit clause was given. As consequence of this change generic query code may
    require additional trait bounds as requested from the compiler. Third party
    backends are required to explicitly provide QueryFragment impls for
    LimitOffsetClause<L, O> now.

  • Nullability requirements are now properly enforced for nested joins.
    Previously, only the rules for the outer-most join were considered. For
    example, users.left_join(posts).left_join(comments) would allow selecting
    any columns from posts. That will now fail to compile, and any selections
    from posts will need to be made explicitly nullable.

  • Diesel CLI will now look for diesel.toml to determine the project root
    before looking for Cargo.toml.

  • Any relative paths in diesel.toml will now be treated as relative to the
    project root (the directory containing either diesel.toml or Cargo.toml).
    They are no longer dependent on the current working directory (for all
    directories in the same project)

  • The SQLite backend is now configured to interpret URIs.
    See the SQLite URI documentation for additional details.

  • We've refactored our type translation layer for Mysql to handle more types now.

  • We've refactored our type level representation of nullable values. This allowed us to
    fix multiple long standing bugs regarding the correct handling of nullable values in some
    corner cases (#​104, #​2274)

  • Parenthesis are now inserted around all infix operations provided by diesel's ExpressionMethods traits

  • Queries containing a distinct on clause check now on compile time that a compatible order clause was set.

  • Implementations of custom SQLite SQL functions now check for panics

  • diesel print-schema now generates Array<Nullable<ST>> rather than Array<ST> for Postgres Array types. Existence of
    NULL values in database arrays would previously result in deserialization errors. Non-nullable arrays are now opt
    in (by schema patching).

Deprecated
  • All the diesel derive attributes that are not inside #[diesel(...)]

  • diesel_(prefix|postfix|infix)_operator! have been deprecated. These macros
    are now available without the diesel_ prefix. With Rust 2018 they can be
    invoked as diesel::infix_operator! instead.

  • diesel::pg::upsert has been deprecated to support upsert queries on more than one backend.
    Please use diesel::upsert instead.

  • diesel::dsl::any and diesel::dsl::all are now deprecated in
    favour of ExpressionMethods::eq_any() and ExpressionMethods::ne_all()


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants