-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(mysql): create regression test for RUSTSEC-2024-0363
- Loading branch information
Showing
2 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
use sqlx::{Error, MySql}; | ||
use std::io; | ||
|
||
use sqlx_test::new; | ||
|
||
// https://rustsec.org/advisories/RUSTSEC-2024-0363.html | ||
// | ||
// During the audit the MySQL driver was found to be *unlikely* to be vulnerable to the exploit, | ||
// so this just serves as a sanity check. | ||
#[sqlx::test] | ||
async fn rustsec_2024_0363() -> anyhow::Result<()> { | ||
let overflow_len = 4 * 1024 * 1024 * 1024; // 4 GiB | ||
|
||
let padding = " ".repeat(overflow_len); | ||
|
||
let payload = "UPDATE injection_target SET message = 'you''ve been pwned!' WHERE id = 1"; | ||
|
||
let mut injected_value = String::with_capacity(overflow_len + payload.len()); | ||
|
||
injected_value.push_str(&padding); | ||
injected_value.push_str(payload); | ||
|
||
let mut conn = new::<MySql>().await?; | ||
|
||
sqlx::raw_sql( | ||
"CREATE TEMPORARY TABLE injection_target(id INTEGER PRIMARY KEY AUTO_INCREMENT, message TEXT);\n\ | ||
INSERT INTO injection_target(message) VALUES ('existing message');", | ||
) | ||
.execute(&mut conn) | ||
.await?; | ||
|
||
// We can't concatenate a query string together like the other tests | ||
// because it would just demonstrate a regular old SQL injection. | ||
let res = sqlx::query("INSERT INTO injection_target(message) VALUES (?)") | ||
.bind(&injected_value) | ||
.execute(&mut conn) | ||
.await; | ||
|
||
if let Err(e) = res { | ||
// Connection rejected the query; we're happy. | ||
// | ||
// Current observed behavior is that `mysqld` closes the connection before we're even done | ||
// sending the message, giving us a "Broken pipe" error. | ||
// | ||
// As it turns out, MySQL has a tight limit on packet sizes (even after splitting) | ||
// by default: https://dev.mysql.com/doc/refman/8.4/en/packet-too-large.html | ||
if matches!(e, Error::Io(ref ioe) if ioe.kind() == io::ErrorKind::BrokenPipe) { | ||
return Ok(()); | ||
} | ||
|
||
panic!("unexpected error: {e:?}"); | ||
} | ||
|
||
let messages: Vec<String> = | ||
sqlx::query_scalar("SELECT message FROM injection_target ORDER BY id") | ||
.fetch_all(&mut conn) | ||
.await?; | ||
|
||
assert_eq!(messages[0], "existing_message"); | ||
assert_eq!(messages[1].len(), injected_value.len()); | ||
|
||
// Injection didn't affect our database; we're happy. | ||
Ok(()) | ||
} |