25364743170

Committed 05 May 2026 08:00AM UTC coverage: 85.038% (-0.2%) from 85.255%

Build # 25364743170

Build Type

push

gh-ci

Committed by

vchaindz

Commit Message

chore(deps): bump jackc/pgx/v5 v5.9.1 -> v5.9.2 (CVE-2026-41889)

Patches a low-severity SQL-injection edge case in pgx's simple-protocol
codepath when a dollar-quoted string literal embeds attacker-controllable
placeholder text (GHSA-j88v-2chj-qfwx).

Not exploitable in immudb: pgx is a test-only dependency used by
pkg/pgsql/server/pgsql_{hardened,compat_integration,integration}_test.go
to drive the wire-compat layer with a real Postgres client. It is not
in the production package graph (`go list -deps ./cmd/... ./pkg/...
./embedded/...` returns 0 for jackc/pgx). Bumped purely to keep the
Dependabot alert clean.

Verified:
  go build ./...                                ok
  go test -count=1 ./pkg/pgsql/server/          ok

Coverage Stats

45157 of 53102 relevant lines covered (85.04%)

126482.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.86

/embedded/sql/count_row_reader.go

/*
Copyright 2026 Codenotary Inc. All rights reserved.

SPDX-License-Identifier: BUSL-1.1
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://mariadb.com/bsl11/

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package sql

import "context"

// countingRowReader handles bare COUNT(*) queries (SELECT COUNT(*) FROM tbl
// with no WHERE, JOINs, GROUP BY, or HAVING) without decoding column values.
// It wraps a rawRowReader and returns exactly one Row containing the count.
type countingRowReader struct {
        rawReader *rawRowReader
        // encSel is the encoded selector key expected by projectedRowReader, e.g.
        // "COUNT()(t.*)" for a table aliased as "t".
        encSel  string
        colDesc ColDescriptor
        done    bool
}

func newCountingRowReader(rawReader *rawRowReader, agg *AggColSelector) *countingRowReader {
        aggFn, table, col := agg.resolve(rawReader.tableAlias)
        encSel := EncodeSelector(aggFn, table, col)
        return &countingRowReader{
                rawReader: rawReader,
                encSel:    encSel,
                colDesc: ColDescriptor{
                        AggFn:  aggFn,
                        Table:  table,
                        Column: col,
                        Type:   IntegerType,
                },
        }
}

func (cr *countingRowReader) onClose(callback func()) {
        cr.rawReader.onClose(callback)
}

func (cr *countingRowReader) Tx() *SQLTx {
        return cr.rawReader.Tx()
}

func (cr *countingRowReader) TableAlias() string {
        return cr.rawReader.TableAlias()
}

func (cr *countingRowReader) Parameters() map[string]interface{} {
        return cr.rawReader.Parameters()
}

func (cr *countingRowReader) OrderBy() []ColDescriptor {
        return nil
}

func (cr *countingRowReader) ScanSpecs() *ScanSpecs {
        return cr.rawReader.ScanSpecs()
}

func (cr *countingRowReader) Columns(_ context.Context) ([]ColDescriptor, error) {
        return []ColDescriptor{cr.colDesc}, nil
}

// colsBySelector includes both the COUNT(*) aggregation descriptor and all
// raw table column descriptors so that projectedRowReader validation succeeds.
func (cr *countingRowReader) colsBySelector(ctx context.Context) (map[string]ColDescriptor, error) {
        colsBySel, err := cr.rawReader.colsBySelector(ctx)
        if err != nil {
                return nil, err
        }
        colsBySel[cr.encSel] = cr.colDesc
        return colsBySel, nil
}

func (cr *countingRowReader) InferParameters(ctx context.Context, params map[string]SQLValueType) error {
        return cr.rawReader.InferParameters(ctx, params)
}

// Read counts all matching index entries without decoding column values and
// returns a single Row. Subsequent calls return ErrNoMoreRows.
func (cr *countingRowReader) Read(ctx context.Context) (*Row, error) {
        if cr.done {
                return nil, ErrNoMoreRows
        }
        cr.done = true

        n, err := cr.rawReader.CountAll(ctx)
        if err != nil {
                return nil, err
        }

        val := &Integer{val: n}
        return &Row{
                ValuesByPosition: []TypedValue{val},
                ValuesBySelector: map[string]TypedValue{cr.encSel: val},
        }, nil
}

func (cr *countingRowReader) Close() error {
        return cr.rawReader.Close()
}

// keyFilterCountingRowReader extends the COUNT(*) fast-path to queries with a
// WHERE clause whose columns are all part of the chosen index. The predicate
// is evaluated against values decoded from the index key, so the row payload
// is never resolved or decoded — see rawRowReader.CountAllWithKeyFilter.
type keyFilterCountingRowReader struct {
        *countingRowReader
        where ValueExp
}

func newKeyFilterCountingRowReader(rawReader *rawRowReader, agg *AggColSelector, where ValueExp) *keyFilterCountingRowReader {
        return &keyFilterCountingRowReader{
                countingRowReader: newCountingRowReader(rawReader, agg),
                where:             where,
        }
}

// Read evaluates the index-only WHERE filter while counting entries, returning
// a single Row with the resulting count. Subsequent calls return ErrNoMoreRows.
func (cr *keyFilterCountingRowReader) Read(ctx context.Context) (*Row, error) {
        if cr.done {
                return nil, ErrNoMoreRows
        }
        cr.done = true

        n, err := cr.rawReader.CountAllWithKeyFilter(ctx, cr.where)
        if err != nil {
                return nil, err
        }

        val := &Integer{val: n}
        return &Row{
                ValuesByPosition: []TypedValue{val},
                ValuesBySelector: map[string]TypedValue{cr.encSel: val},
        }, nil
}

1	/*
2	Copyright 2026 Codenotary Inc. All rights reserved.
3
4	SPDX-License-Identifier: BUSL-1.1
5	you may not use this file except in compliance with the License.
6	You may obtain a copy of the License at
7
8	https://mariadb.com/bsl11/
9
10	Unless required by applicable law or agreed to in writing, software
11	distributed under the License is distributed on an "AS IS" BASIS,
12	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	See the License for the specific language governing permissions and
14	limitations under the License.
15	*/
16
17	package sql
18
19	import "context"
20
21	// countingRowReader handles bare COUNT() queries (SELECT COUNT() FROM tbl
22	// with no WHERE, JOINs, GROUP BY, or HAVING) without decoding column values.
23	// It wraps a rawRowReader and returns exactly one Row containing the count.
24	type countingRowReader struct {
25	rawReader *rawRowReader
26	// encSel is the encoded selector key expected by projectedRowReader, e.g.
27	// "COUNT()(t.*)" for a table aliased as "t".
28	encSel string
29	colDesc ColDescriptor
30	done bool
31	}
32
33	func newCountingRowReader(rawReader rawRowReader, agg AggColSelector) *countingRowReader {	49✔
34	aggFn, table, col := agg.resolve(rawReader.tableAlias)	49✔
35	encSel := EncodeSelector(aggFn, table, col)	49✔
36	return &countingRowReader{	49✔
37	rawReader: rawReader,	49✔
38	encSel: encSel,	49✔
39	colDesc: ColDescriptor{	49✔
40	AggFn: aggFn,	49✔
41	Table: table,	49✔
42	Column: col,	49✔
43	Type: IntegerType,	49✔
44	},	49✔
45	}	49✔
46	}	49✔
47
48	func (cr *countingRowReader) onClose(callback func()) {	36✔
49	cr.rawReader.onClose(callback)	36✔
50	}	36✔
51
52	func (cr countingRowReader) Tx() SQLTx {	41✔
53	return cr.rawReader.Tx()	41✔
54	}	41✔
55
56	func (cr *countingRowReader) TableAlias() string {	233✔
57	return cr.rawReader.TableAlias()	233✔
58	}	233✔
59
60	func (cr *countingRowReader) Parameters() map[string]interface{} {	33✔
61	return cr.rawReader.Parameters()	33✔
62	}	33✔
63
64	func (cr *countingRowReader) OrderBy() []ColDescriptor {	2✔
65	return nil	2✔
66	}	2✔
67
68	func (cr countingRowReader) ScanSpecs() ScanSpecs {	2✔
69	return cr.rawReader.ScanSpecs()	2✔
70	}	2✔
71
72	func (cr *countingRowReader) Columns(_ context.Context) ([]ColDescriptor, error) {	2✔
73	return []ColDescriptor{cr.colDesc}, nil	2✔
74	}	2✔
75
76	// colsBySelector includes both the COUNT(*) aggregation descriptor and all
77	// raw table column descriptors so that projectedRowReader validation succeeds.
78	func (cr *countingRowReader) colsBySelector(ctx context.Context) (map[string]ColDescriptor, error) {	33✔
79	colsBySel, err := cr.rawReader.colsBySelector(ctx)	33✔
80	if err != nil {	33✔
81	return nil, err	×
82	}	×
83	colsBySel[cr.encSel] = cr.colDesc	33✔
84	return colsBySel, nil	33✔
85	}
86
87	func (cr *countingRowReader) InferParameters(ctx context.Context, params map[string]SQLValueType) error {	8✔
88	return cr.rawReader.InferParameters(ctx, params)	8✔
89	}	8✔
90
91	// Read counts all matching index entries without decoding column values and
92	// returns a single Row. Subsequent calls return ErrNoMoreRows.
93	func (cr countingRowReader) Read(ctx context.Context) (Row, error) {	44✔
94	if cr.done {	62✔
95	return nil, ErrNoMoreRows	18✔
96	}	18✔
97	cr.done = true	26✔
98		26✔
99	n, err := cr.rawReader.CountAll(ctx)	26✔
100	if err != nil {	26✔
101	return nil, err	×
102	}	×
103
104	val := &Integer{val: n}	26✔
105	return &Row{	26✔
106	ValuesByPosition: []TypedValue{val},	26✔
107	ValuesBySelector: map[string]TypedValue{cr.encSel: val},	26✔
108	}, nil	26✔
109	}
110
111	func (cr *countingRowReader) Close() error {	49✔
112	return cr.rawReader.Close()	49✔
113	}	49✔
114
115	// keyFilterCountingRowReader extends the COUNT(*) fast-path to queries with a
116	// WHERE clause whose columns are all part of the chosen index. The predicate
117	// is evaluated against values decoded from the index key, so the row payload
118	// is never resolved or decoded — see rawRowReader.CountAllWithKeyFilter.
119	type keyFilterCountingRowReader struct {
120	*countingRowReader
121	where ValueExp
122	}
123
124	func newKeyFilterCountingRowReader(rawReader rawRowReader, agg AggColSelector, where ValueExp) *keyFilterCountingRowReader {	7✔
125	return &keyFilterCountingRowReader{	7✔
126	countingRowReader: newCountingRowReader(rawReader, agg),	7✔
127	where: where,	7✔
128	}	7✔
129	}	7✔
130
131	// Read evaluates the index-only WHERE filter while counting entries, returning
132	// a single Row with the resulting count. Subsequent calls return ErrNoMoreRows.
133	func (cr keyFilterCountingRowReader) Read(ctx context.Context) (Row, error) {	12✔
134	if cr.done {	18✔
135	return nil, ErrNoMoreRows	6✔
136	}	6✔
137	cr.done = true	6✔
138		6✔
139	n, err := cr.rawReader.CountAllWithKeyFilter(ctx, cr.where)	6✔
140	if err != nil {	6✔
141	return nil, err	×
142	}	×
143
144	val := &Integer{val: n}	6✔
145	return &Row{	6✔
146	ValuesByPosition: []TypedValue{val},	6✔
147	ValuesBySelector: map[string]TypedValue{cr.encSel: val},	6✔
148	}, nil	6✔
149	}

codenotary / immudb / 25364743170

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous