SQL injection - Code In diesel
Description
Diesel's SQLite backend has possible UTF-8 corruption
Diesel uses the sqlite3_value_text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as *const c_char. Based on that we used str::from_utf8_unchecked to construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side storage type BLOB this pointer can contain arbitrary bytes, which makes the usage of str::from_utf8_unchecked unsound as this violates the safety contract of str to only contain valid UTF-8 encoded Strings.
Mitigation
The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now correctly checks whether the provides byte buffer is actually valid UTF-8, instead of relying on SQLite's documentation. This fix is included in the 2.3.8 release.
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 cargo | 2.3.8 |
Aliases
References