zed-industries / zed

Crate	Required	Latest	Status
rodio	`^0.20.0`	`0.20.1`	up to date

Crate	Required	Latest	Status
ipc-channel	`^0.19`	`0.19.0`	up to date

Crate	Required	Latest	Status
async-recursion	`^0.3`	`1.1.1`	out of date
tiny_http	`^0.8`	`0.12.0`	out of date
tokio-socks	`^0.5.2`	`0.5.2`	up to date

Crate	Required	Latest	Status
aws-config	`^1.1.5`	`1.6.0`	up to date
aws-sdk-s3	`^1.15.0`	`1.79.0`	up to date
aws-sdk-kinesis	`^1.51.0`	`1.64.0`	up to date
axum	`^0.6`	`0.8.1`	out of date
axum-extra	`^0.4`	`0.10.0`	out of date
envy	`^0.4.2`	`0.4.2`	up to date
prometheus	`^0.13`	`0.13.4`	up to date
reqwest	`^0.11`	`0.12.15`	out of date
scrypt	`^0.11`	`0.11.0`	up to date
sea-orm	`^1.1.0-rc.1`	`1.1.7`	up to date
sqlx ⚠️	`^0.8`	`0.8.3`	maybe insecure
tower	`^0.4`	`0.5.2`	out of date
tracing	`^0.1.40`	`0.1.41`	up to date
tracing-subscriber	`^0.3.18`	`0.3.19`	up to date

Crate	Required	Latest	Status
sea-orm	`^1.1.0-rc.1`	`1.1.7`	up to date
sqlx ⚠️	`^0.8`	`0.8.3`	maybe insecure

Crate	Required	Latest	Status
mdbook	`^0.4.40`	`0.4.47`	up to date

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.219`	up to date
serde_json	`^1.0`	`1.0.140`	up to date
wit-bindgen	`^0.22`	`0.41.0`	out of date

Crate	Required	Latest	Status
human_bytes	`^0.4.1`	`0.4.3`	up to date

Crate	Required	Latest	Status
async-task	`^4.7`	`4.7.1`	up to date
backtrace	`^0.3`	`0.3.74`	up to date
bytemuck	`^1`	`1.22.0`	up to date
etagere	`^0.2`	`0.2.15`	up to date
image	`^0.25.1`	`0.25.5`	up to date
num_cpus	`^1.13`	`1.16.0`	up to date
parking	`^2.0.0`	`2.2.1`	up to date
raw-window-handle	`^0.6`	`0.6.2`	up to date
resvg	`^0.45.0`	`0.45.0`	up to date
usvg	`^0.45.0`	`0.45.0`	up to date
seahash	`^4.1`	`4.1.0`	up to date
slotmap	`^1.0.6`	`1.0.7`	up to date
taffy	`^0.4.3`	`0.7.7`	out of date
waker-fn	`^1.2.0`	`1.2.0`	up to date
lyon	`^1.0`	`1.0.1`	up to date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date
lyon	`^1.0`	`1.0.1`	up to date

Crate	Required	Latest	Status
unicase	`^2.6`	`2.8.1`	up to date

Crate	Required	Latest	Status
cpal	`^0.15`	`0.15.3`	up to date
http	`^0.2.1`	`1.3.1`	out of date

Crate	Required	Latest	Status
async-broadcast	`^0.7`	`0.7.2`	up to date

Crate	Required	Latest	Status
bindgen	`^0.70.0`	`0.71.1`	out of date

Crate	Required	Latest	Status
walkdir	`^2.5.0`	`2.5.0`	up to date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date

Crate	Required	Latest	Status
arrayvec	`^0.7.1`	`0.7.6`	up to date

Crate	Required	Latest	Status
criterion	`^0.5`	`0.5.1`	up to date

Crate	Required	Latest	Status
tracing	`^0.1.34`	`0.1.41`	up to date

Crate	Required	Latest	Status
thread_local	`^1.1.4`	`1.1.8`	up to date

Crate	Required	Latest	Status
ctrlc	`^3.4`	`3.4.5`	up to date
dialoguer	`^0.11.0`	`0.11.0`	up to date

Crate	Required	Latest	Status
arrayvec	`^0.7.1`	`0.7.6`	up to date

Crate	Required	Latest	Status
vscode_theme	`^0.2.0`	`0.2.0`	up to date

Crate	Required	Latest	Status
tokio ⚠️	`^1.15`	`1.44.1`	maybe insecure

Crate	Required	Latest	Status
bincode	`^1.2.1`	`2.0.1`	out of date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date
mimalloc	`^0.1`	`0.1.44`	up to date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
serde	`^1`	`1.0.219`	up to date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date
serde_json	`^1.0`	`1.0.140`	up to date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.3.0`	out of date

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic, for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning, so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint() can be used for sanity checks, but do not assume that the size returned is accurate. For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size, so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

sqlx 0.8.1 has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated: https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

zed-industries / zed

Crate activity_indicator

Crate anthropic

Crate askpass

Crate assets

Crate assistant

Crate assistant2

Crate assistant_context_editor

Crate assistant_eval

Crate assistant_settings

Crate assistant_slash_command

Crate assistant_slash_commands

Crate assistant_tool

Crate assistant_tools

Crate audio

Dependencies

Crate auto_update

Crate auto_update_ui

Crate aws_http_client

Crate bedrock

Crate breadcrumbs

Crate buffer_diff

Crate call

Crate channel

Crate cli

Dependencies

Crate client

Dependencies

Crate clock

Crate collab

Dependencies

Dev dependencies

Crate collab_ui

Crate collections

Crate command_palette

Crate command_palette_hooks

Crate component

Crate component_preview

Crate context_server

Crate context_server_settings

Crate copilot

Crate credentials_provider

Crate dap

Crate dap_adapters

Crate debugger_tools

Crate debugger_ui

Crate db

Crate deepseek

Crate diagnostics

Crate docs_preprocessor

Dependencies

Crate editor

Crate evals

Crate extension

Crate zed_extension_api

Dependencies

Crate extension_cli

Crate extension_host

Crate extensions_ui

Crate feature_flags

Crate feedback

Dependencies

Crate file_finder

Crate file_icons

Crate fs

Crate fsevent

Crate fuzzy

Crate git

Crate git_hosting_providers

Crate git_ui

Crate go_to_line

Crate google_ai

Crate gpui

Dependencies

Dev dependencies

Crate gpui_macros

Crate gpui_tokio

Crate html_to_markdown

Crate http_client

Crate http_client_tls

Crate `activity_indicator`

Crate `anthropic`

Crate `askpass`

Crate `assets`

Crate `assistant`

Crate `assistant2`

Crate `assistant_context_editor`

Crate `assistant_eval`

Crate `assistant_settings`

Crate `assistant_slash_command`

Crate `assistant_slash_commands`

Crate `assistant_tool`

Crate `assistant_tools`

Crate `audio`

Crate `auto_update`

Crate `auto_update_ui`

Crate `aws_http_client`

Crate `bedrock`

Crate `breadcrumbs`

Crate `buffer_diff`

Crate `call`

Crate `channel`

Crate `cli`

Crate `client`

Crate `clock`

Crate `collab`

Crate `collab_ui`

Crate `collections`

Crate `command_palette`

Crate `command_palette_hooks`

Crate `component`

Crate `component_preview`

Crate `context_server`

Crate `context_server_settings`

Crate `copilot`

Crate `credentials_provider`

Crate `dap`

Crate `dap_adapters`

Crate `debugger_tools`

Crate `debugger_ui`

Crate `db`

Crate `deepseek`

Crate `diagnostics`

Crate `docs_preprocessor`

Crate `editor`

Crate `evals`

Crate `extension`

Crate `zed_extension_api`

Crate `extension_cli`

Crate `extension_host`

Crate `extensions_ui`

Crate `feature_flags`

Crate `feedback`

Crate `file_finder`

Crate `file_icons`

Crate `fs`

Crate `fsevent`

Crate `fuzzy`

Crate `git`

Crate `git_hosting_providers`

Crate `git_ui`

Crate `go_to_line`

Crate `google_ai`

Crate `gpui`

Crate `gpui_macros`

Crate `gpui_tokio`

Crate `html_to_markdown`

Crate `http_client`

Crate `http_client_tls`

Crate `image_viewer`

Crate `indexed_docs`

Crate `inline_completion`

Crate `inline_completion_button`

Crate `install_cli`

Crate `journal`

Crate `language`

Crate `language_extension`

Crate `language_model`

Crate `language_model_selector`

Crate `language_models`