Skip to content

Commit

Permalink
chore(mysql): create regression test for RUSTSEC-2024-0363
Browse files Browse the repository at this point in the history
  • Loading branch information
abonander committed Aug 24, 2024
1 parent 2256d70 commit 612a767
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 0 deletions.
5 changes: 5 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,11 @@ name = "mysql-migrate"
path = "tests/mysql/migrate.rs"
required-features = ["mysql", "macros", "migrate"]

[[test]]
name = "mysql-rustsec"
path = "tests/mysql/rustsec.rs"
required-features = ["mysql"]

#
# PostgreSQL
#
Expand Down
64 changes: 64 additions & 0 deletions tests/mysql/rustsec.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
use sqlx::{Error, MySql};
use std::io;

use sqlx_test::new;

// https://rustsec.org/advisories/RUSTSEC-2024-0363.html
//
// During the audit the MySQL driver was found to be *unlikely* to be vulnerable to the exploit,
// so this just serves as a sanity check.
#[sqlx::test]
async fn rustsec_2024_0363() -> anyhow::Result<()> {
let overflow_len = 4 * 1024 * 1024 * 1024; // 4 GiB

let padding = " ".repeat(overflow_len);

let payload = "UPDATE injection_target SET message = 'you''ve been pwned!' WHERE id = 1";

let mut injected_value = String::with_capacity(overflow_len + payload.len());

injected_value.push_str(&padding);
injected_value.push_str(payload);

let mut conn = new::<MySql>().await?;

sqlx::raw_sql(
"CREATE TEMPORARY TABLE injection_target(id INTEGER PRIMARY KEY AUTO_INCREMENT, message TEXT);\n\
INSERT INTO injection_target(message) VALUES ('existing message');",
)
.execute(&mut conn)
.await?;

// We can't concatenate a query string together like the other tests
// because it would just demonstrate a regular old SQL injection.
let res = sqlx::query("INSERT INTO injection_target(message) VALUES (?)")
.bind(&injected_value)
.execute(&mut conn)
.await;

if let Err(e) = res {
// Connection rejected the query; we're happy.
//
// Current observed behavior is that `mysqld` closes the connection before we're even done
// sending the message, giving us a "Broken pipe" error.
//
// As it turns out, MySQL has a tight limit on packet sizes (even after splitting)
// by default: https://dev.mysql.com/doc/refman/8.4/en/packet-too-large.html
if matches!(e, Error::Io(ref ioe) if ioe.kind() == io::ErrorKind::BrokenPipe) {
return Ok(());
}

panic!("unexpected error: {e:?}");
}

let messages: Vec<String> =
sqlx::query_scalar("SELECT message FROM injection_target ORDER BY id")
.fetch_all(&mut conn)
.await?;

assert_eq!(messages[0], "existing_message");
assert_eq!(messages[1].len(), injected_value.len());

// Injection didn't affect our database; we're happy.
Ok(())
}

0 comments on commit 612a767

Please sign in to comment.