Diesel vulnerable to Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts
High severity
GitHub Reviewed
Published
Aug 23, 2024
to the GitHub Advisory Database
•
Updated Aug 23, 2024
Description
Published to the GitHub Advisory Database
Aug 23, 2024
Reviewed
Aug 23, 2024
Last updated
Aug 23, 2024
The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:
It appears Diesel does perform truncating casts in a way that could be problematic,
for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36
This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions
<= 2.2.2
are affected.Mitigation
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
Diesel now uses
#[deny]
directives for the following Clippy lints:cast_possible_truncation
cast_possible_wrap
cast_sign_loss
to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.
A fix is included in the
2.2.3
release.References