Update Rust crate sqlx to 0.8.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
sqlx	dependencies	patch	0.8.0 -> 0.8.1

GitHub Vulnerability Alerts

GHSA-xmrp-424f-vfpx

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic,
for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint()
can be used for sanity checks, but do not assume that the size returned is accurate.
For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size,
so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Work has started on a branch to add #[deny] directives for the following Clippy lints:

• cast_possible_truncation
• cast_possible_wrap
• cast_sign_loss

and to manually audit the code that they flag.

A fix is expected to be included in the 0.8.1 release (still WIP as of writing).

---

Release Notes

launchbadge/sqlx (sqlx)

v0.8.1

Compare Source

16 pull requests were merged this release cycle.

This release contains a fix for RUSTSEC-2024-0363.

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated:
#​3440 (comment)

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

Added

• [#​3421]: correct spelling of MySqlConnectOptions::no_engine_substitution() [[@​kolinfluence]]
  • Deprecates MySqlConnectOptions::no_engine_subsitution() (oops) in favor of the correctly spelled version.

Changed

• [#​3376]: doc: hide spec_error module [[@​abonander]]
  • This is a helper module for the macros and was not meant to be exposed.
  • It is not expected to receive any breaking changes for the 0.8.x release, but is not designed as a public API.
    Use at your own risk.
• [#​3382]: feat: bumped to libsqlite3-sys=0.30.1 to support sqlite 3.46 [[@​CommanderStorm]]
• [#​3385]: chore(examples):Migrated the pg-chat example to ratatui [[@​CommanderStorm]]
• [#​3399]: Upgrade to rustls 0.23 [[@​djc]]
  • RusTLS now has pluggable cryptography providers: ring (the existing implementation),
    and aws-lc-rs which has optional FIPS certification.
  • The existing features activating RusTLS (runtime-tokio-rustls, runtime-async-std-rustls, tls-rustls)
    enable the ring provider of RusTLS to match the existing behavior so this should not be a breaking change.
  • Switch to the tls-rustls-aws-lc-rs feature to use the aws-lc-rs provider.
    • If using runtime-tokio-rustls or runtime-async-std-rustls,
      this will necessitate switching to the appropriate non-legacy runtime feature:
      runtime-tokio or runtime-async-std
  • See the RusTLS README for more details: https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers

Fixed

• [#​2786]: fix(sqlx-cli): do not clean sqlx during prepare [[@​cycraig]]
• [#​3354]: sqlite: fix inconsistent read-after-write [[@​ckampfe]]
• [#​3371]: Fix encoding and decoding of MySQL enums in sqlx::Type [[@​alu]]
• [#​3374]: fix: usage of node12 in SQLx action [[@​hamirmahal]]
• [#​3380]: chore: replace structopt with clap in examples [[@​tottoto]]
• [#​3381]: Fix CI after Rust 1.80, remove dead feature references [[@​abonander]]
• [#​3384]: chore(tests): fixed deprecation warnings [[@​CommanderStorm]]
• [#​3386]: fix(dependencys):bumped cargo_metadata to v0.18.1 to avoid yanked v0.14.3 [[@​CommanderStorm]]
• [#​3389]: fix(cli): typo in error for required DB URL [[@​ods]]
• [#​3417]: Update version to 0.8 in README [[@​soucosmo]]
• [#​3441]: fix: audit protocol handling [[@​abonander]]
  • This addresses RUSTSEC-2024-0363 and includes regression tests for MySQL, Postgres and SQLite.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating git repository `https://github.com/casbin-rs/actix-casbin-auth.git`
From https://github.com/casbin-rs/actix-casbin-auth
 * [new ref]         66662102a92fe1ae80ad427e07c1879cbdf65f4f -> refs/commit/66662102a92fe1ae80ad427e07c1879cbdf65f4f
    Updating crates.io index
error: failed to select a version for `sqlx`.
    ... required by package `stacker v0.1.0 (/tmp/renovate/repos/github/trydirect/stacker)`
versions that meet the requirements `^0.8.1` are: 0.8.3, 0.8.2, 0.8.1

the package `stacker` depends on `sqlx`, with features: `offline` but `sqlx` does not have these features.


failed to select a version for `sqlx` which could resolve this conflict