This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.
Mitigation
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
Diesel now uses #[deny] directives for the following Clippy lints:
to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.
A fix is included in the 2.2.3 release.
Release Notes
diesel-rs/diesel (diesel)
### [`v2.2.3`](https://redirect.github.com/diesel-rs/diesel/releases/tag/v2.2.3): Diesel 2.2.3
[Compare Source](https://redirect.github.com/diesel-rs/diesel/compare/v2.2.2...v2.2.3)
- Support for libsqlite3-sys 0.30.0
- Fixed a possible vulnerability in how Diesel handled protocol level bind parameters.
See the [SQL Injection isn't Dead: Smuggling Queries at Protocol Level](http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf>) presentation from DEF CON for details
- Fixed an issue with a possibly ambiguous trait resolution in `#[derive(QueryableByName)]`
You can support the development of diesel by contributions or by sponsoring the project on Github.
Full Changelog: https://github.com/diesel-rs/diesel/compare/v2.2.2...v2.2.3
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[x] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
2.2.2->2.2.3GitHub Vulnerability Alerts
GHSA-wq9x-qwcq-mmgf
The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:
It appears Diesel does perform truncating casts in a way that could be problematic, for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36
This code has existed essentially since the beginning, so it is reasonable to assume that all published versions
<= 2.2.2are affected.Mitigation
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
Diesel now uses
#[deny]directives for the following Clippy lints:cast_possible_truncationcast_possible_wrapcast_sign_lossto prevent casts that will lead to precision loss or other trunctations. Additionally we performed an audit of the relevant code.
A fix is included in the
2.2.3release.Release Notes
diesel-rs/diesel (diesel)
### [`v2.2.3`](https://redirect.github.com/diesel-rs/diesel/releases/tag/v2.2.3): Diesel 2.2.3 [Compare Source](https://redirect.github.com/diesel-rs/diesel/compare/v2.2.2...v2.2.3) - Support for libsqlite3-sys 0.30.0 - Fixed a possible vulnerability in how Diesel handled protocol level bind parameters. See the [SQL Injection isn't Dead: Smuggling Queries at Protocol Level](http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf>) presentation from DEF CON for details - Fixed an issue with a possibly ambiguous trait resolution in `#[derive(QueryableByName)]` You can support the development of diesel by contributions or by sponsoring the project on Github. Full Changelog: https://github.com/diesel-rs/diesel/compare/v2.2.2...v2.2.3Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.