Deps.rs

iggy-rs / iggy

[![dependency status](https://deps.rs/repo/github/iggy-rs/iggy/status.svg)](https://deps.rs/repo/github/iggy-rs/iggy)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate bdd

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cucumber^0.220.22.1up to date

Crate iggy-mcp

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 rmcp^0.12.00.12.0up to date

Crate iggy-bench

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 governor^0.10.40.10.4up to date
 hostname^0.4.20.4.2up to date
 rayon^1.11.01.11.0up to date

Crate bench-dashboard-frontend

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 getrandom^0.30.3.4up to date
 gloo^0.110.11.0up to date
 js-sys^0.30.3.83up to date
 wasm-bindgen^0.20.2.106up to date
 web-sys^0.30.3.83up to date
 yew^0.220.22.0up to date
 yew-router^0.190.19.0up to date

Crate iggy-bench-dashboard-server

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 actix-cors^0.7.10.7.1up to date
 actix-files^0.6.90.6.9up to date
 actix-web^4.12.14.12.1up to date
 file-operation^0.8.80.8.11up to date
 notify^8.2.08.2.0up to date
 octocrab^0.49.40.49.5up to date
 walkdir^2.5.02.5.0up to date

Crate bench-dashboard-shared

No external dependencies! 🙌

Crate bench-report

No external dependencies! 🙌

Crate bench-runner

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 dircpy^0.3.190.3.19up to date
 git2^0.20.30.20.3up to date

Crate iggy_binary_protocol

No external dependencies! 🙌

Crate iggy-cli

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 clap_complete^4.5.634.5.65up to date

Crate clock

No external dependencies! 🙌

Crate iggy_common

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 fast-async-mutex^0.6.70.6.7up to date
 rcgen^0.14.60.14.6up to date
 ring^0.17.140.17.14up to date
 slab^0.4.110.4.11up to date

Crate iggy-connectors

No external dependencies! 🙌

Crate iggy_connector_sdk

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 base64^0.22.10.22.1up to date
 flatbuffers^25.12.1925.12.19up to date
 prost^0.14.10.14.3up to date
 prost-types^0.14.10.14.3up to date
 protox^0.9.10.9.1up to date
 protox-parse^0.9.00.9.0up to date

Crate iggy_connector_elasticsearch_sink

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 elasticsearch^9.1.0-alpha.1N/Aup to date

Crate iggy_connector_iceberg_sink

No external dependencies! 🙌

Crate iggy_connector_postgres_sink

Dependencies

(1 total, 1 possibly insecure)

CrateRequiredLatestStatus
 sqlx ⚠️^0.80.8.6maybe insecure

Crate iggy_connector_quickwit_sink

No external dependencies! 🙌

Crate iggy_connector_stdout_sink

No external dependencies! 🙌

Crate iggy_connector_elasticsearch_source

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 elasticsearch^9.1.0-alpha.1N/Aup to date

Crate iggy_connector_postgres_source

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 sqlx^0.8.60.8.6up to date

Crate iggy_connector_random_source

No external dependencies! 🙌

Crate consensus

No external dependencies! 🙌

Crate integration

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 assert_cmd^2.1.12.1.2up to date
 ctor^0.6.30.6.3up to date
 libc^0.2.1780.2.180up to date
 rcgen^0.14.60.14.6up to date
 rmcp^0.12.00.12.0up to date
 testcontainers-modules^0.14.00.14.0up to date

Crate journal

No external dependencies! 🙌

Crate message_bus

No external dependencies! 🙌

Crate metadata

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 slab^0.4.110.4.11up to date

Crate partitions

No external dependencies! 🙌

Crate iggy

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 num_cpus^1.17.01.17.0up to date

Crate server

Dependencies

(23 total, all up-to-date)

CrateRequiredLatestStatus
 arcshift^0.4.20.4.2up to date
 ctrlc^3.53.5.1up to date
 hash32^1.0.01.0.0up to date
 jsonwebtoken^10.2.010.2.0up to date
 lending-iterator^0.1.70.1.7up to date
 mime_guess^2.02.0.5up to date
 moka^0.12.120.12.12up to date
 opentelemetry^0.31.00.31.0up to date
 opentelemetry-appender-tracing^0.31.10.31.1up to date
 opentelemetry-otlp^0.31.00.31.0up to date
 opentelemetry-semantic-conventions^0.31.00.31.0up to date
 opentelemetry_sdk^0.31.00.31.0up to date
 papaya^0.2.30.2.3up to date
 prometheus-client^0.24.00.24.0up to date
 ringbuffer^0.16.00.16.0up to date
 rust-embed^8.9.08.9.0up to date
 rustls-pemfile^2.2.02.2.0up to date
 send_wrapper^0.6.00.6.0up to date
 slab^0.4.110.4.11up to date
 socket2^0.6.10.6.1up to date
 static-toml^1.3.01.3.0up to date
 tracing-opentelemetry^0.32.00.32.0up to date
 ulid^1.2.11.2.1up to date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 figment^0.10.190.10.19up to date
 vergen-git2^1.0.71.0.7up to date

Crate tools

No external dependencies! 🙌

Crate iggy_examples

No external dependencies! 🙌

Security Vulnerabilities

sqlx: Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts

RUSTSEC-2024-0363

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic, for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning, so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint() can be used for sanity checks, but do not assume that the size returned is accurate. For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size, so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

sqlx 0.8.1 has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated: https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.