File: rustsec.rs

package info (click to toggle)
rust-sqlx 0.8.3-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,744 kB
  • sloc: sql: 335; python: 268; sh: 71; makefile: 2
file content (67 lines) | stat: -rw-r--r-- 2,353 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
use sqlx::{Error, MySql};
use std::io;

use sqlx_test::new;

// https://rustsec.org/advisories/RUSTSEC-2024-0363.html
//
// During the audit the MySQL driver was found to be *unlikely* to be vulnerable to the exploit,
// so this just serves as a sanity check.
#[sqlx::test]
async fn rustsec_2024_0363() -> anyhow::Result<()> {
    let overflow_len = 4 * 1024 * 1024 * 1024; // 4 GiB

    let padding = " ".repeat(overflow_len);

    let payload = "UPDATE injection_target SET message = 'you''ve been pwned!' WHERE id = 1";

    let mut injected_value = String::with_capacity(overflow_len + payload.len());

    injected_value.push_str(&padding);
    injected_value.push_str(payload);

    // Since this is so large, keeping it around until the end *can* lead to getting OOM-killed.
    drop(padding);

    let mut conn = new::<MySql>().await?;

    sqlx::raw_sql(
        "CREATE TEMPORARY TABLE injection_target(id INTEGER PRIMARY KEY AUTO_INCREMENT, message TEXT);\n\
         INSERT INTO injection_target(message) VALUES ('existing message');",
    )
    .execute(&mut conn)
    .await?;

    // We can't concatenate a query string together like the other tests
    // because it would just demonstrate a regular old SQL injection.
    let res = sqlx::query("INSERT INTO injection_target(message) VALUES (?)")
        .bind(&injected_value)
        .execute(&mut conn)
        .await;

    if let Err(e) = res {
        // Connection rejected the query; we're happy.
        //
        // Current observed behavior is that `mysqld` closes the connection before we're even done
        // sending the message, giving us a "Broken pipe" error.
        //
        // As it turns out, MySQL has a tight limit on packet sizes (even after splitting)
        // by default: https://dev.mysql.com/doc/refman/8.4/en/packet-too-large.html
        if matches!(e, Error::Io(ref ioe) if ioe.kind() == io::ErrorKind::BrokenPipe) {
            return Ok(());
        }

        panic!("unexpected error: {e:?}");
    }

    let messages: Vec<String> =
        sqlx::query_scalar("SELECT message FROM injection_target ORDER BY id")
            .fetch_all(&mut conn)
            .await?;

    assert_eq!(messages[0], "existing_message");
    assert_eq!(messages[1].len(), injected_value.len());

    // Injection didn't affect our database; we're happy.
    Ok(())
}