Closed weiznich closed 5 months ago
Thanks for flagging this.
Somewhat orthogonal, but there's also an open issue related to how the database URL is parsed: https://github.com/maxcountryman/tower-sessions-stores/issues/1
I'm open to reworking this entirely to ensure better security and UX.
Given my previous interactions with this project I'm not willing to work on a fix. I mostly filled that issue so that users are aware of that issue. It also might be worth to fill a rustsec advisory for this soon.
SQLite and Postgres are protected by their respective input sanitizers. For example:
called `Result::unwrap()` on an `Err` value: "Invalid table name '; drop table users;'. Table names must be alphanumeric and may contain hyphens or underscores."
And MySQL does not allow configuration of the schema or table names and instead they are hardcoded.
The current version of the
tower-sessions-sqlx-store
crate is vulnerable for sql injections as it usesformat!
on user provided potentially untrusted inputs:https://github.com/maxcountryman/tower-sessions/blob/763133104290abb3fc4af6bbfd7a19609cb9fc39/sqlx-store/src/postgres_store.rs#L91