This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.
Mitigation
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
Diesel now uses #[deny] directives for the following Clippy lints:
A bug introduced in rustls 0.23.13 leads to a panic if the received
TLS ClientHello is fragmented. Only servers that use
rustls::server::Acceptor::accept() are affected.
Servers that use tokio-rustls's LazyConfigAcceptor API are affected.
Servers that use tokio-rustls's TlsAcceptor API are not affected.
Servers that use rustls-ffi's rustls_acceptor_accept API are affected.
hashbrown: Borsh serialization of HashMap is non-canonical
The borsh serialization of the HashMap did not follow the borsh specification.
It potentially produced non-canonical encodings dependent on insertion order.
It also did not perform canonicty checks on decoding.
This can result in consensus splits and cause equivalent objects to be
considered distinct.
This was patched in 0.15.1.
tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequences
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
Manipulate terminal title bars
Clear screens or modify terminal display
Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in PR #3368 to escape ANSI control characters from user input.
In the unique reclaim path of BytesMut::reserve, the condition
if v_capacity >= new_cap + offset
uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}
Workarounds
Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
service attack via stack exhaustion is possible. The attack relies on formally deprecated and
rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
the stack consumed would be at most a factor of the length of the input.
diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`
Diesel allows users to configure various options for PostgreSQL's COPY FROM and COPY TO statements. These configurations are partially provided as strings or characters.
Diesel did not check if any these user-provided options contain a quote character ', which can lead to the injection of additional options in the current COPY FROM/COPY TO statement.
This vulnerability affects any user of COPY FROM/COPY TO that passes user-provided input to any of the affected functions. It can result in modifications of options in the current statement, but it is not possible inject additional statements.
Mitigation
The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now correctly escapes any quotes contained in the provided arguments.
diesel: Possible unaligned data access for implementations of `SqliteAggregate`
Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface.
To store an instance of the custom aggregate processor Diesel relied on the sqlite3_aggregate_context function provided by sqlite. This function doesn't provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom #[align(x)] attribute on the type implementing this trait. This affects any user of SqliteAggregate that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.
Mitigation
The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.
tokio-postgres: Panic on a `DataRow` with fewer fields than columns allows denial of service
A malicious or compromised server can send a row containing fewer fields than
its row description declares columns. Reading one of the missing columns then
panics with an out-of-bounds index, aborting the calling task. This affects even
the otherwise non-panicking try_get, and both Row and SimpleQueryRow.
Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.