Deps.rs

apache / iggy

[![dependency status](https://deps.rs/repo/github/apache/iggy/status.svg)](https://deps.rs/repo/github/apache/iggy)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate bdd

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cucumber^0.210.21.1up to date

Crate iggy-bench

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 governor^0.10.00.10.0up to date
 hostname^0.4.10.4.1up to date
 rayon^1.10.01.10.0up to date

Crate bench-dashboard-frontend

Dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 getrandom^0.30.3.3up to date
 gloo^0.110.11.0up to date
 js-sys^0.30.3.77up to date
 wasm-bindgen^0.20.2.100up to date
 web-sys^0.30.3.77up to date
 yew^0.210.21.0up to date
 yew-hooks^0.3.30.3.3up to date
 yew-router^0.180.18.0up to date

Crate bench-dashboard-server

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 actix-cors^0.7.10.7.1up to date
 actix-files^0.6.60.6.6up to date
 actix-web^4.11.04.11.0up to date
 file-operation^0.5.120.5.16up to date
 notify^8.0.08.1.0up to date
 octocrab^0.44.10.44.1up to date
 walkdir^2.5.02.5.0up to date

Crate bench-dashboard-shared

No external dependencies! 🙌

Crate bench-report

No external dependencies! 🙌

Crate bench-runner

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 dircpy^0.3.190.3.19up to date
 git2^0.20.20.20.2up to date

Crate iggy_binary_protocol

No external dependencies! 🙌

Crate iggy-cli

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 clap_complete^4.5.544.5.55up to date

Crate iggy_common

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 fast-async-mutex^0.6.70.6.7up to date
 rcgen^0.13.20.14.2out of date

Crate iggy-connectors

No external dependencies! 🙌

Crate iggy_connector_sdk

Dependencies

(6 total, 5 outdated)

CrateRequiredLatestStatus
 base64^0.22.10.22.1up to date
 flatbuffers^24.3.2525.2.10out of date
 prost^0.13.50.14.1out of date
 prost-types^0.13.50.14.1out of date
 protox^0.8.00.9.0out of date
 protox-parse^0.8.00.9.0out of date

Crate iggy_connector_postgres_sink

Dependencies

(1 total, 1 possibly insecure)

CrateRequiredLatestStatus
 sqlx ⚠️^0.80.8.6maybe insecure

Crate iggy_connector_quickwit_sink

No external dependencies! 🙌

Crate iggy_connector_stdout_sink

No external dependencies! 🙌

Crate iggy_connector_postgres_source

Dependencies

(1 total, 1 possibly insecure)

CrateRequiredLatestStatus
 sqlx ⚠️^0.80.8.6maybe insecure

Crate iggy_connector_random_source

No external dependencies! 🙌

Crate integration

Dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 assert_cmd^2.0.172.0.17up to date
 ctor^0.4.20.4.2up to date
 libc^0.2.1740.2.174up to date
 rcgen^0.13.20.14.2out of date

Crate iggy

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 num_cpus^1.17.01.17.0up to date

Crate server

Dependencies

(18 total, all up-to-date)

CrateRequiredLatestStatus
 error_set^0.8.50.8.5up to date
 figment^0.10.190.10.19up to date
 jsonwebtoken^9.3.19.3.1up to date
 lending-iterator^0.1.70.1.7up to date
 moka^0.12.100.12.10up to date
 nix^0.300.30.1up to date
 once_cell^1.21.31.21.3up to date
 opentelemetry^0.30.00.30.0up to date
 opentelemetry-appender-tracing^0.30.10.30.1up to date
 opentelemetry-otlp^0.30.00.30.0up to date
 opentelemetry-semantic-conventions^0.30.00.30.0up to date
 opentelemetry_sdk^0.30.00.30.0up to date
 prometheus-client^0.23.10.23.1up to date
 ring^0.17.140.17.14up to date
 rustls-pemfile^2.2.02.2.0up to date
 static-toml^1.3.01.3.0up to date
 tracing-opentelemetry^0.31.00.31.0up to date
 ulid^1.2.11.2.1up to date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 figment^0.10.190.10.19up to date
 vergen-git2^1.0.71.0.7up to date

Crate tools

No external dependencies! 🙌

Crate iggy_examples

No external dependencies! 🙌

Security Vulnerabilities

sqlx: Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts

RUSTSEC-2024-0363

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic, for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning, so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint() can be used for sanity checks, but do not assume that the size returned is accurate. For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size, so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

sqlx 0.8.1 has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated: https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.