zed-industries / zed

Crate	Required	Latest	Status
rodio	`^0.19.0`	`0.20.1`	out of date

Crate	Required	Latest	Status
ipc-channel	`^0.18`	`0.19.0`	out of date

Crate	Required	Latest	Status
async-recursion	`^0.3`	`1.1.1`	out of date
tiny_http	`^0.8`	`0.12.0`	out of date
tokio-socks	`^0.5.2`	`0.5.2`	up to date

Crate	Required	Latest	Status
aws-config	`^1.1.5`	`1.5.10`	up to date
aws-sdk-s3	`^1.15.0`	`1.61.0`	up to date
aws-sdk-kinesis	`^1.51.0`	`1.51.0`	up to date
axum	`^0.6`	`0.7.9`	out of date
axum-extra	`^0.4`	`0.9.6`	out of date
envy	`^0.4.2`	`0.4.2`	up to date
prometheus	`^0.13`	`0.13.4`	up to date
reqwest	`^0.11`	`0.12.9`	out of date
scrypt	`^0.11`	`0.11.0`	up to date
sea-orm	`^1.1.0-rc.1`	`1.1.1`	up to date
sqlx ⚠️	`^0.8`	`0.8.2`	maybe insecure
tower	`^0.4`	`0.5.1`	out of date
tracing	`^0.1.40`	`0.1.40`	up to date
tracing-subscriber	`^0.3.18`	`0.3.18`	up to date

Crate	Required	Latest	Status
sea-orm	`^1.1.0-rc.1`	`1.1.1`	up to date
sqlx ⚠️	`^0.8`	`0.8.2`	maybe insecure

Crate	Required	Latest	Status
rustc-hash	`^1.1`	`2.0.0`	out of date

Crate	Required	Latest	Status
mdbook	`^0.4.40`	`0.4.42`	up to date

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.215`	up to date
serde_json	`^1.0`	`1.0.133`	up to date
wit-bindgen	`^0.22`	`0.35.0`	out of date

Crate	Required	Latest	Status
human_bytes	`^0.4.1`	`0.4.3`	up to date
urlencoding	`^2.1.2`	`2.1.3`	up to date

Crate	Required	Latest	Status
async-task	`^4.7`	`4.7.1`	up to date
backtrace	`^0.3`	`0.3.74`	up to date
bytemuck	`^1`	`1.20.0`	up to date
etagere	`^0.2`	`0.2.13`	up to date
image	`^0.25.1`	`0.25.5`	up to date
linkme	`^0.3`	`0.3.31`	up to date
num_cpus	`^1.13`	`1.16.0`	up to date
parking	`^2.0.0`	`2.2.1`	up to date
raw-window-handle	`^0.6`	`0.6.2`	up to date
resvg	`^0.44.0`	`0.44.0`	up to date
usvg	`^0.44.0`	`0.44.0`	up to date
seahash	`^4.1`	`4.1.0`	up to date
slotmap	`^1.0.6`	`1.0.7`	up to date
taffy	`^0.4.3`	`0.6.2`	out of date
waker-fn	`^1.2.0`	`1.2.0`	up to date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date

Crate	Required	Latest	Status
embed-resource	`^2.4`	`3.0.1`	out of date

Crate	Required	Latest	Status
proc-macro2	`^1.0.66`	`1.0.89`	up to date
quote	`^1.0.9`	`1.0.37`	up to date
syn	`^1.0.72`	`2.0.87`	out of date

Crate	Required	Latest	Status
http	`^1.1`	`1.1.0`	up to date

Crate	Required	Latest	Status
unicase	`^2.6`	`2.8.0`	up to date

Crate	Required	Latest	Status
async-broadcast	`^0.7`	`0.7.1`	up to date

Crate	Required	Latest	Status
bindgen	`^0.70.0`	`0.70.1`	up to date

Crate	Required	Latest	Status
walkdir	`^2.5.0`	`2.5.0`	up to date

Crate	Required	Latest	Status
similar	`^1.3`	`2.6.0`	out of date

Crate	Required	Latest	Status
syn	`^1.0.72`	`2.0.87`	out of date
quote	`^1.0.9`	`1.0.37`	up to date
proc-macro2	`^1.0.66`	`1.0.89`	up to date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date

Crate	Required	Latest	Status
arrayvec	`^0.7.1`	`0.7.6`	up to date

Crate	Required	Latest	Status
criterion	`^0.5`	`0.5.1`	up to date

Crate	Required	Latest	Status
tracing	`^0.1.34`	`0.1.40`	up to date

Crate	Required	Latest	Status
libsqlite3-sys	`^0.28`	`0.30.1`	out of date
thread_local	`^1.1.4`	`1.1.8`	up to date

Crate	Required	Latest	Status
syn	`^1.0`	`2.0.87`	out of date

Crate	Required	Latest	Status
itertools	`^0.13`	`0.13.0`	up to date

Crate	Required	Latest	Status
ctrlc	`^3.4`	`3.4.5`	up to date
dialoguer	`^0.11.0`	`0.11.0`	up to date

Crate	Required	Latest	Status
arrayvec	`^0.7.1`	`0.7.6`	up to date

Crate	Required	Latest	Status
vscode_theme	`^0.2.0`	`0.2.0`	up to date

Crate	Required	Latest	Status
proc-macro2	`^1.0.66`	`1.0.89`	up to date
quote	`^1.0.9`	`1.0.37`	up to date
syn	`^1.0.72`	`2.0.87`	out of date

Crate	Required	Latest	Status
take-until	`^0.2.0`	`0.2.0`	up to date

Crate	Required	Latest	Status
tokio ⚠️	`^1.15`	`1.41.1`	maybe insecure

Crate	Required	Latest	Status
bincode	`^1.2.1`	`1.3.3`	up to date

Crate	Required	Latest	Status
backtrace	`^0.3`	`0.3.74`	up to date
mimalloc	`^0.1`	`0.1.43`	up to date
urlencoding	`^2.1.2`	`2.1.3`	up to date

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.215`	up to date
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

Crate	Required	Latest	Status
serde	`^1`	`1.0.215`	up to date

Crate	Required	Latest	Status
zed_extension_api	`^0.1.0`	`0.2.0`	out of date

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic, for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning, so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint() can be used for sanity checks, but do not assume that the size returned is accurate. For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size, so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

sqlx 0.8.1 has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated: https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

zed-industries / zed

Crate activity_indicator

Crate anthropic

Crate assets

Crate assistant

Crate assistant_slash_command

Crate assistant_tool

Crate audio

Dependencies

Crate auto_update

Crate breadcrumbs

Crate call

Crate channel

Crate cli

Dependencies

Crate client

Dependencies

Crate clock

Crate collab

Dependencies

Dev dependencies

Crate collab_ui

Crate collections

Dependencies

Crate command_palette

Crate command_palette_hooks

Crate context_servers

Crate copilot

Crate db

Crate diagnostics

Crate docs_preprocessor

Dependencies

Crate editor

Crate evals

Crate extension

Crate zed_extension_api

Dependencies

Crate extension_cli

Crate extension_host

Crate extensions_ui

Crate feature_flags

Crate feedback

Dependencies

Crate file_finder

Crate file_icons

Crate fs

Crate fsevent

Crate fuzzy

Crate git

Crate git_hosting_providers

Crate go_to_line

Crate google_ai

Crate gpui

Dependencies

Dev dependencies

Build dependencies

Crate gpui_macros

Dependencies

Crate html_to_markdown

Crate http_client

Dependencies

Crate image_viewer

Crate indexed_docs

Crate inline_completion

Crate inline_completion_button

Crate install_cli

Crate journal

Crate language

Dependencies

Crate language_model

Crate language_models

Crate language_selector

Crate language_tools

Crate languages

Crate live_kit_client

Dependencies

Crate live_kit_server

Crate lsp

Crate markdown

Crate markdown_preview

Crate `activity_indicator`

Crate `anthropic`

Crate `assets`

Crate `assistant`

Crate `assistant_slash_command`

Crate `assistant_tool`

Crate `audio`

Crate `auto_update`

Crate `breadcrumbs`

Crate `call`

Crate `channel`

Crate `cli`

Crate `client`

Crate `clock`

Crate `collab`

Crate `collab_ui`

Crate `collections`

Crate `command_palette`

Crate `command_palette_hooks`

Crate `context_servers`

Crate `copilot`

Crate `db`

Crate `diagnostics`

Crate `docs_preprocessor`

Crate `editor`

Crate `evals`

Crate `extension`

Crate `zed_extension_api`

Crate `extension_cli`

Crate `extension_host`

Crate `extensions_ui`

Crate `feature_flags`

Crate `feedback`

Crate `file_finder`

Crate `file_icons`

Crate `fs`

Crate `fsevent`

Crate `fuzzy`

Crate `git`

Crate `git_hosting_providers`

Crate `go_to_line`

Crate `google_ai`

Crate `gpui`

Crate `gpui_macros`

Crate `html_to_markdown`

Crate `http_client`

Crate `image_viewer`

Crate `indexed_docs`

Crate `inline_completion`

Crate `inline_completion_button`

Crate `install_cli`

Crate `journal`

Crate `language`

Crate `language_model`

Crate `language_models`

Crate `language_selector`

Crate `language_tools`

Crate `languages`

Crate `live_kit_client`

Crate `live_kit_server`

Crate `lsp`

Crate `markdown`

Crate `markdown_preview`

Crate `media`

Crate `menu`

Crate `multi_buffer`

Crate `node_runtime`

Crate `notifications`

Crate `ollama`

Crate `open_ai`

Crate `outline`

Crate `outline_panel`

Crate `paths`

Crate `picker`

Crate `prettier`

Crate `project`

Crate `project_panel`

Crate `project_symbols`

Crate `proto`

Crate `quick_action_bar`