Potential security issue: Possible SQL injection in the SQLx implementation

maxcountryman / tower-sessions-stores

🚃 Previously bundled session stores for `tower-sessions`.

https://github.com/maxcountryman/tower-sessions

MIT License

22 stars 7 forks source link

Potential security issue: Possible SQL injection in the SQLx implementation #2

Closed weiznich closed 5 months ago

weiznich commented 5 months ago

The current version of the tower-sessions-sqlx-store crate is vulnerable for sql injections as it uses format! on user provided potentially untrusted inputs:

https://github.com/maxcountryman/tower-sessions/blob/763133104290abb3fc4af6bbfd7a19609cb9fc39/sqlx-store/src/postgres_store.rs#L91

maxcountryman commented 5 months ago

Thanks for flagging this.

Somewhat orthogonal, but there's also an open issue related to how the database URL is parsed: https://github.com/maxcountryman/tower-sessions-stores/issues/1

I'm open to reworking this entirely to ensure better security and UX.

weiznich commented 5 months ago

Given my previous interactions with this project I'm not willing to work on a fix. I mostly filled that issue so that users are aware of that issue. It also might be worth to fill a rustsec advisory for this soon.

maxcountryman commented 5 months ago

SQLite and Postgres are protected by their respective input sanitizers. For example:

called `Result::unwrap()` on an `Err` value: "Invalid table name '; drop table users;'. Table names must be alphanumeric and may contain hyphens or underscores."

And MySQL does not allow configuration of the schema or table names and instead they are hardcoded.