SebastianGoeb / kindle-to-anki / 10537071347
91%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 6
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 91.852%. Remained the same
10537071347

push

github

web-flow 
fix(deps): update rust crate sqlx to v0.8.1 [security] (#91)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [sqlx](https://togithub.com/launchbadge/sqlx) | dependencies | patch |
`0.8.0` -> `0.8.1` |

### GitHub Vulnerability Alerts

####
[GHSA-xmrp-424f-vfpx](https://togithub.com/launchbadge/sqlx/issues/3440)

The following presentation at this year's DEF CON was brought to our
attention on the SQLx Discord:

> SQL Injection isn't Dead: Smuggling Queries at the Protocol Level  
>
<http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf>
> (Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length
prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary
protocol commands or other data.

It appears SQLx _does_ perform truncating casts in a way that could be
problematic,
for example:
<https://github.com/launchbadge/sqlx/blob/6f2905695/sqlx-postgres/src/arguments.rs#L163>

This code has existed essentially since the beginning, 
so it is reasonable to assume that all published versions `<= 0.8.0` are
affected.

## Mitigation

As always, you should make sure your application is validating
untrustworthy user input.
Reject any input over 4 GiB, or any input that could _encode_ to a
string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes
the message size over this 4 GiB bound.


[`Encode::size_hint()`](https://docs.rs/sqlx/latest/sqlx/trait.Encode.html#method.size_hint)
can be used for sanity checks, but do not assume that the size returned
is accurate.
For example, the `Json<T>` an... (continued)

124 of 135 relevant lines covered (91.85%)

45.27 hits per line

Jobs
ID Job ID Ran Files Coverage
1 10537071347.1 0
91.85
 GitHub Action Run
Source Files on build 10537071347
Detailed source file information is not available for this build.