Update Rust crate diesel to v2 [SECURITY] #47
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.4
->2.0
GitHub Vulnerability Alerts
GHSA-wq9x-qwcq-mmgf
The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:
It appears Diesel does perform truncating casts in a way that could be problematic,
for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36
This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions
<= 2.2.2
are affected.Mitigation
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
Diesel now uses
#[deny]
directives for the following Clippy lints:cast_possible_truncation
cast_possible_wrap
cast_sign_loss
to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.
A fix is included in the
2.2.3
release.Release Notes
diesel-rs/diesel (diesel)
v2.2.3
: Diesel 2.2.3Compare Source
See the SQL Injection isn't Dead: Smuggling Queries at Protocol Level presentation from DEF CON for details
#[derive(QueryableByName)]
You can support the development of diesel by contributions or by sponsoring the project on Github.
Full Changelog: diesel-rs/diesel@v2.2.2...v2.2.3
v2.2.2
Compare Source
Fixed
Numeric
SerializedDatabase::new
function due to unsoundnessv2.2.1
Compare Source
v2.2.0
Compare Source
Added
[print_schema] except_custom_type_definitions = ["Vector"]
. If acustom type
matches one element on the list it's skipped.rowid
aliases when no explicit primary key is defined forprint-schema
#[dsl::auto_type]
attribute macro, allowing to infer type of query fragment functionsSelectable
derives, which allows skipping specifyingselect_expression_type
most of the time, in turn enabling most queries to be written using just aSelectable
derive.#[diesel(skip_insertion)]
field attribute to theInsertable
derive macro, allowing fields which map to generated columns to be skipped during insertion.sqlite-integer-primary-key-is-bigint
configuration option, usable with SQLite 3.37 or above, allowing to useBigInt
forINTEGER PRIMARY KEY
columns in SQLite for tables without theWITHOUT ROWID
attribute (SQLite doc).print_schema
entry indiesel.toml
(e.g.[print_schema.user1]
), which allows generating multiple schema.rs filesCOPY TO
andCOPY FROM
statementschrono::Duration
to postgresql'sINTERVAL
sql typeserialize_database_to_buffer
anddeserialize_readonly_database_from_buffer
methods inSqliteConnection
to support serialization/deserialization of SQLite databases to and from byte buffers.SerializedDatabase
wrapper type for a serialized database that is dynamically allocated by callingserialize_database_to_buffer
. This RAII wrapper deallocates the memory when it goes out of scope withsqlite3_free
.Changed
sql_function!
in favour ofdefine_sql_function!
which provides compatibility with#[dsl::auto_type]
v2.1.6
Compare Source
BoxableExpression
with having clausesv2.1.5
Compare Source
impl SqlOrd
postgres > postgres_backend feature flag.Queryable
to be used with multiple table names.libsqlite3-sys
to allow version 0.28 as wellv2.1.4
Compare Source
libsqlite3-sys
to allow version 0.27 as wellv2.1.3
Compare Source
DISTINCT ON
andORDER BY
clauses again as that broke existing codev2.1.2
Compare Source
v2.1.1
Compare Source
v2.1.0
Compare Source
Changed
Added
custom_type_derives
config option to customize the derives for SQLtype definitions automatically generated by Diesel CLI.
#[derive(MultiConnection)]
proc-macro that lets you easily implementdiesel::Connection
for an enum of connections to different database backends.
--diff-schema
flag to thediesel migration generate
command that generates a migration basedon the difference between your database and the provided
schema.rs
fileON CONFLICT (...) DO UPDATE ... [WHERE ...]
conditional clause support for PostgreSQL.ON DUPLICATE KEY DO UPDATE
syntax through the existing upsert functions.distinct_on
for PostgreSQL,like:
.distinct_on((column_a, column_b))
.schema.rs
filev2.0.4
Compare Source
v2.0.3
Compare Source
v2.0.2
Compare Source
v2.0.1
Compare Source
Fixed
diesel_cli
generating incompatible type names for thegenerate_missing_sql_type_definitions
feature on PostgreSQLdiesel_cli
handles sqlite urls while checking if a given database existsPgConnection
becoming unusable after hitting a database error in certain situationsINSERT … ON CONFLICT
queriesdiesel_derives
generating code that triggers the disabled by defaultunused_qualifications
lintv2.0.0
Compare Source
Added
MysqlConnection::establish
is able to initiate an SSL connection while specifying certificate roots. The database URL should contain anssl_ca
parameter with a path pointing to the certificate roots. See docs if desired.MysqlConnection::establish
is able to initiate an SSL connection. The database URL should containssl_mode
parameter with a value of the MySQL client command option--ssl-mode
if desired.Connection
andSimpleConnection
traits are implemented for a broader rangeof
r2d2::PooledConnection<M>
types when ther2d2
feature is enabled.Added
DatabaseErrorKind::ReadOnlyTransaction
to allow applications tohandle errors caused by writing when only allowed to read.
All expression methods can now be called on expressions of nullable types.
Added
BoxedSqlQuery
. This allows users to do a variable amount of.sql
or.bind
calls without changing the underlying type.Added
.sql
toSqlQuery
andUncheckedBind
to allow appending SQL code toan existing query.
The
MacAddr
SQL type can now be used without enabling thenetwork-address
feature.
Added support for SQLite's
UPSERT
.You can use this feature above SQLite version 3.24.0.
Added ability to create custom aggregate functions in SQLite.
Multiple aggregate expressions can now appear together in the same select
clause. See the upgrade notes for details.
ValidGrouping
has been added to represent whether an expression is valid fora given group by clause, and whether or not it's aggregate. It replaces the
functionality of
NonAggregate
. See the upgradenotes for details.
It is now possible to inspect the type of values returned from the database
in such a way to support constructing a dynamic value depending on this type.
Added a
without-deprecated
feature that unconditionally disables deprecated items.Use this feature flag to verify that none of your dependencies is setting
the
with-deprecated
flag internally.Added support for PostgreSQL's
SIMILAR TO
andNOT SIMILAR TO
.Added
#[diesel(serialize_as)]
analogous to#[diesel(deserialize_as)]
. This allowscustomization of the serialization behaviour of
Insertable
andAsChangeset
structs.Added support for
GROUP BY
clausesAdded support for
UNION
,UNION ALL
,INTERSECT
,INTERSECT ALL
,EXCEPT
,EXCEPT ALL
clausesAdded the error position for PostgreSQL errors
Added ability to create custom collation functions in SQLite.
Added support for SQLite's
IS
andIS NOT
.Add support for HAVING clauses.
Added support for SQL functions without arguments for SQLite.
Diesel CLI will now generate SQL type definitions for SQL types that are not supported by diesel out of the box. It's possible to disable this behavior via the
generate_missing_sql_type_definitions
config option.Added an option to
#[derive(Insertable)]
that let you insertNULL
values instead ofDEFAULT
values forOption<T>
Added support for all the derive attributes being inside
#[diesel(...)]
Added support for
RETURNING
expressions for Sqlite via thereturning_clauses_for_sqlite_3_35
featureAdded support for table aliasing via the
alias!
macroAdded support for the usage of slices of references with
belonging_to
fromBelongingToDsl
Added support for updating individual array elements
UPDATE table SET array_column[1] = true
Adds an
ipnet-address
feature flag, allowing support (de)serializing IPvalues from the database using types provided by
ipnet
. This featuremay be enabled concurrently with the previously existing
network-address
feature.
We've added support for loading values using libpq's row-by-row mode via
the new iterator interface
Adds
Timestamp
,Timestamptz
support for appropriate types fortime v0.3.9
.This feature enables using the
time
crate as an alternative tochrono
.Removed
uuid
version < 0.7.0 has been removed.bigdecimal
< 0.0.13 has been removed.pq-sys
< 0.4.0 has been removed.mysqlclient-sys
< 0.2.5 has been removed.time
(0.1) types has been removed.chrono
< 0.4.19 has been removed.NonNull
trait for sql types has been removed in favour of the newSqlType
trait.no_arg_sql_function!
has been deprecated without replacement.[
sql_function!
][sql-function-2-0-0] can now be used for functions with zeroarguments. See the migration guide for more details.
barrel
based migrations has been removed for now. We are happy toadd this support back as soon as
barrel
integrates with our new migration framework.diesel bash-completions
) has been removed.Use
diesel completions <shell>
instead.Changed
The minimal officially supported rustc version is now 1.56.0
Interacting with a database requires a mutable connection.
The way the
Backend
trait handles itsRawValue
type hasbeen changed to allow non-references. Users of this type (e.g. code written
&DB::RawValue
or&<DB as Backend>::RawValue>
) should usebackend::RawValue<DB>
instead. Implementors ofBackend
should check the relevant section of the migration guide.
The type metadata for MySQL has been changed to include sign information. If
you are implementing
HasSqlType
forMysql
manually, you may need to adjustyour implementation to fully use the new unsigned variants in
MysqlType
The
RawValue
types for theMysql
andPostgresql
backend where changedfrom
[u8]
to distinct opaque types. If you used the concreteRawValue
typesomewhere you need to change it to
mysql::MysqlValue
orpg::PgValue
.The
uuidv07
feature was renamed touuid
, due to the removal of support for older uuid versionsBoxed queries (constructed from
.into_boxed()
) are nowSend
.The handling of mixed aggregate values is more robust. Invalid queries such as
.select(max(id) + other_column)
are now correctly rejected, and validqueries such as
.select((count_star(), max(other_column)))
are now correctlyaccepted. For more details, see the migration guide.
NonAggregate
is now a trait alias forValidGrouping<()>
for expressionsthat are not aggregate. On stable this is a normal trait with a blanket impl,
but it should never be implemented directly. With the
unstable
feature, itwill use trait aliases which prevent manual implementations.
Due to language limitations, we cannot make the new trait alias by itself
represent everything it used to, so in some rare cases code changes may be
required. See the migration guide for details.
Various
__NonExhaustive
variants in different (error-) enums are replaced with#[non_exhaustive]
. If you matched on one of those variants explicitly you need tointroduce a wild card match instead.
FromSql::from_sql
is changed to construct value from non nullable database values.To construct a rust value for nullable values use the new
FromSql::from_nullable_sql
method instead.
Custom sql types are now required to implement the new
SqlType
trait. Diesel willautomatically create implementations of that trait for all types having a
#[derive(SqlType)]
The workflow for manually implementing support custom types has changed. Implementing
FromSqlRow<ST, DB>
is not required anymore, as this is now implied by implementingFromSql<ST, DB>
. The requirement of implementingQueryable<ST, DB>
remainsunchanged. For types using
#[derive(FromSqlRow)]
no changes are required as thederive automatically generates the correct code
The structure of our deserialization trait has changed. Loading values from the database
requires now that the result type implements
FromSqlRow<ST, DB>
. Diesel provides wildcard implementations for types implementing
Queryable<ST, DB>
orQueryableByName<DB>
so non generic code does not require any change. For generic code you likely need to
replace a trait bound on
Queryable<ST, DB>
with a trait bound onFromSqlRow<ST, DB>
and a bound to
QueryableByName<DB>
withFromSqlRow<Untyped, DB>
.CLI flags of
only-tables
andexcept-tables
are now interpreted as regular expressions.Similarly,
only_tables
andexcept_tables
indiesel.toml
are treated as regular expressions.Now you can sort column fields by name with the
column-sorting
option.It can be set to either
ordinal_position
(default) orname
.This ensures stable sorting even if columns are removed and re-added.
The
Queryable<ST,DB>
trait was updated to be made faillible, in order to properly handlecases where you detect a data inconsistency between fields on deserialization
(that e.g. was supposed to be made impossible by DB
CHECK
s). Thebuild
function nowreturns a
diesel::deserialize::Result<Self>
instead of a
Self
.TypeMetadata::MetadataLookup
is now?Sized
.Multiple implementations of
Connection<Backend=Pg>
are now possiblebecause of the new
PgMetadataLookup
trait.For the
Pg
backend,TypeMetadata::MetadataLookup
has changed todyn PgMetadataLookup
.Diesel's migration framework was rewritten from the ground. Existing migrations continue to
be compatible with the rewrite, but code calling into
diesel_migrations
requires an update.See the migration guide for details.
eq_any()
now emits a= ANY()
expression for the postgresql backend instead ofIN()
ne_all()
now emits a!= ALL()
expression for the postgresql backend instead ofNOT IN()
The sqlite backend now uses a single batch insert statement if there are now default values present
in the values clause
The MySQL connection is using the CLIENT_FOUND_ROWS from now on. This means that updating rows without changing any values will return the number of matched rows (like most other SQL servers do), as opposed to the number of changed rows.
The definition of
ToSql::to_sql
andQueryFragment::walk_ast
has changed to allow serializing values withoutcopying the value itself. This is useful for database backends like sqlite where you can directly share a buffer
with the database. Beside of the changed signature, existing impls of this trait should remain unchanged in almost
all cases.
The
PIPES_AS_CONCAT
sql_mode is no longer setby default. This setting requires a modification to MySQL query parsing that is
not supported by certain systems (such as Vitess). If you are using MySQL and
executing raw queries with the
||
operator, you will need to rewrite yourqueries or set
PIPES_AS_CONCAT
manually.Fixed
Many types were incorrectly considered non-aggregate when they should not
have been. All types in Diesel are now correctly only considered
non-aggregate if their parts are.
Offset clauses without limit clauses resulted into invalid sql using the mysql or
sqlite backend. Both do not support such clauses without a preceding limit clause.
For those backend Diesel does now generate a fake limit clause in case no explicit
limit clause was given. As consequence of this change generic query code may
require additional trait bounds as requested from the compiler. Third party
backends are required to explicitly provide
QueryFragment
impls forLimitOffsetClause<L, O>
now.Nullability requirements are now properly enforced for nested joins.
Previously, only the rules for the outer-most join were considered. For
example,
users.left_join(posts).left_join(comments)
would allow selectingany columns from
posts
. That will now fail to compile, and any selectionsfrom
posts
will need to be made explicitly nullable.Diesel CLI will now look for
diesel.toml
to determine the project rootbefore looking for
Cargo.toml
.Any relative paths in
diesel.toml
will now be treated as relative to theproject root (the directory containing either
diesel.toml
orCargo.toml
).They are no longer dependent on the current working directory (for all
directories in the same project)
The SQLite backend is now configured to interpret URIs.
See the SQLite URI documentation for additional details.
We've refactored our type translation layer for Mysql to handle more types now.
We've refactored our type level representation of nullable values. This allowed us to
fix multiple long standing bugs regarding the correct handling of nullable values in some
corner cases (#104, #2274)
Parenthesis are now inserted around all infix operations provided by diesel's
ExpressionMethods
traitsQueries containing a
distinct on
clause check now on compile time that a compatible order clause was set.Implementations of custom SQLite SQL functions now check for panics
diesel print-schema
now generatesArray<Nullable<ST>>
rather thanArray<ST>
for Postgres Array types. Existence ofNULL
values in database arrays would previously result in deserialization errors. Non-nullable arrays are now optin (by schema patching).
Deprecated
All the diesel derive attributes that are not inside
#[diesel(...)]
diesel_(prefix|postfix|infix)_operator!
have been deprecated. These macrosare now available without the
diesel_
prefix. With Rust 2018 they can beinvoked as
diesel::infix_operator!
instead.diesel::pg::upsert
has been deprecated to support upsert queries on more than one backend.Please use
diesel::upsert
instead.diesel::dsl::any
anddiesel::dsl::all
are now deprecated infavour of
ExpressionMethods::eq_any()
andExpressionMethods::ne_all()
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.