Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2024-0365: Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts #4199

Closed
github-actions bot opened this issue Aug 23, 2024 · 1 comment
Closed

RUSTSEC-2024-0365: Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts #4199

github-actions bot opened this issue Aug 23, 2024 · 1 comment

Comments

@github-actions
Copy link

Details
Package diesel
Version 2.2.0
URL #4170
Patched Versions >=2.2.3

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)
Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears Diesel does perform truncating casts in a way that could be problematic,
for example:

diesel/diesel/src/pg/connection/stmt/mod.rs

Line 36 in ae82c4a

.map(|data| data.as_ref().map(|d| d.len() as libc::c_int).unwrap_or(0))

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.

Mitigation

The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Diesel now uses #[deny] directives for the following Clippy lints:

to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.

A fix is included in the 2.2.3 release.
@weiznich
Copy link
Member

Well, that's obviously already fixed by #4170 as linked by the bot

@weiznich weiznich closed this as not planned Won't fix, can't repro, duplicate, stale Aug 23, 2024
@weiznich weiznich mentioned this issue Aug 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weiznich