Skip to content

Update Rust crate diesel to v2.3.8 [SECURITY]#123

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-diesel-vulnerability
Open

Update Rust crate diesel to v2.3.8 [SECURITY]#123
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-diesel-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
diesel (source) workspace.dependencies minor 2.2.92.3.8
diesel (source) dependencies minor 2.2.92.3.8

Diesel's SQLite backend has possible UTF-8 corruption

GHSA-h5x4-m2qf-r4f2

More information

Details

Diesel uses the sqlite3_value_text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as *const c_char. Based on that we used str::from_utf8_unchecked to construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side storage type BLOB this pointer can contain arbitrary bytes, which makes the usage of str::from_utf8_unchecked unsound as this violates the safety contract of str to only contain valid UTF-8 encoded Strings.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now correctly checks whether the provides byte buffer is actually valid UTF-8, instead of relying on SQLite's documentation. This fix is included in the 2.3.8 release.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Diesel: Possible unaligned data access for implementations of SqliteAggregate

GHSA-q8x8-jrhj-fh9p

More information

Details

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface.

To store an instance of the custom aggregate processor Diesel relied on the sqlite3_aggregate_context function provided by sqlite. This function doesn't provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom #[align(x)] attribute on the type implementing this trait. This affects any user of SqliteAggregate that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Diesel: Command injection in Diesel's implementation of COPY FROM/COPY TO

GHSA-m9p2-fxp5-v3fp

More information

Details

Diesel allows users to configure various options for PostgreSQL's COPY FROM and COPY TO statements. These configurations are partially provided as strings or characters.

Diesel did not check if any these user-provided options contain a quote character ', which can lead to the injection of additional options in the current COPY FROM/COPY TO statement.

This vulnerability affects any user of COPY FROM/COPY TO that passes user-provided input to any of the affected functions. It can result in modifications of options in the current statement, but it is not possible inject additional statements.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now correctly escapes any quotes contained in the provided arguments.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

diesel-rs/diesel (diesel)

v2.3.8

Compare Source

  • Added support for libsqlite3-sys 0.37.0
  • Raise a compile-time error when mixing aggregate and non-aggregate expressions in an ORDER BY clause without a GROUP BY clause
  • Calling .count() or .select(aggregate_expr) on a query that already has a non-aggregate .order_by() clause now raises a compile-time error instead of generating invalid SQL that would be rejected by the database at runtime (fixes #​3815)
  • Added documentation for migration transaction behaviour at the crate root
  • Improved compile time error messages for #[derive(AsChangeset)]
  • Allow to use generic types in infix_operator!()
  • Fixes for several instances of unsound, unspecified or otherwise dangerous behaviour:
    • Unsound string construction in SqliteValue::read_text/FromSql<Text, Sqlite> for String
    • Invalid alignment for over aligned data in SqliteConnection::register_function for aggregate functions
    • Potential memory leaks in SqliteConnection::register_function
    • Access to padding bytes while serializing Date/time types in the Mysql backend
    • SQL Option Injection in PostgreSQL COPY FROM/TO
    • Unspecified pointer cast in Debug/Display implementation of batch INSERT statements for SQLite
    • Invalid call order of SQLite API functions in SqliteValue::read_text/FromSql<Text, Sqlite> for String/SqliteValue::read_blob()/FromSql<Binary, Sqlite> for Vec<u8>
    • Potential unsound pointer access for FromSql<Binary, _> for Vec<u8> and FromSql<Text, _> for String for third party backends (requires changes to the third party backend as well)

v2.3.7

Compare Source

  • Add support for libsqlite3-sys 0.36
  • Fix a potential resource leak if establishing a SqliteConnection fails.

v2.3.6

Compare Source

  • Added support for mysqlclient-sys 0.5.0
  • Fix generating valid schema if a column is named table
  • Fixed a regression with #[derive(Insertable)] if the same field type is used with different lifetime values

v2.3.5

Compare Source

  • Fix another libmariadb related issue with time types
  • Improve compile time error messages for #[derive(Insertable)]
  • Bump supported version of sqlite-wasm-rs to 0.5.0
  • Minor documentation fixes
  • Make the returning_clauses_for_sqlite_3_35 feature enable the sqlite feature by default
  • Include a fix for a nightly rust name resolution ambiguity

v2.3.4

Compare Source

  • Fix an issue with breaking changes in libmariadb
  • Fix documentation links for helper types
  • Fix using #[diesel(embed)] with Option<Inner> types
  • Fix documentation for concurrent migration runs

v2.3.3

Compare Source

Fixed
  • Fix displaying binds in instrumentations for #[derive(MultiConnection)]
  • Support artifact attestation for binaries build for releases
  • Stop using absolute paths in generated diesel.toml
  • Explicitly qualify Ok in code generated by derives to avoid naming conflicts

v2.3.2

Fixed
  • Fixed an incompatibility with libmariadb versions shipped by debian
  • Fixed docs.rs builds
  • Fixed applying patch file schema.rs file with formatting
  • Allow to compare DatabaseErrorKind values

v2.3.1

This version did not contain any changes, but only a version bump to retrigger the docs.rs build

v2.3.0

Compare Source

Added
  • Added limit() and offset() DSL to combination clauses such as UNION
  • Fixed #[derive(Identifiable)] ignoring attribute #[diesel(serialize_as)] on primary keys
  • Added embedded struct support for AsChangeset via #[diesel(embed)]
  • Added a #[diesel(skip_update)] attribute for the AsChangeset derive to skip updating a field present in the struct
  • Support for libsqlite3-sys 0.35.0
  • Add support for built-in PostgreSQL range operators and functions
  • Support for postgres multirange type
  • Added diesel::r2d2::TestCustomizer, which allows users to customize their diesel::r2d2::Pools
    in a way that makes the pools suitable for use in parallel tests.
  • Added support for built-in PostgreSQL range operators and functions
  • Added support for various built-in PostgreSQL array functions
  • Added Json and Jsonb support for the SQLite backend.
  • Added a #[diesel::declare_sql_function] attribute macro to easily define support for
    multiple sql functions at once via an extern "SQL" block
  • Support [print_schema] allow_tables_to_appear_in_same_query_config = "fk_related_tables" to generate separate allow_tables_to_appear_in_same_query! calls containing only tables that are related through foreign keys. (Default: "all_tables".) It is not possible to build queries using two tables that don't appear in the same allow_tables_to_appear_in_same_query! call, but that macro generates O(n²) rust code, so this option may be useful to reduce compilation time. (#​4333)
  • Added wasm32-unknown-unknown target support for sqlite backend.
  • Add support for the CAST operator
  • Support [print_schema] allow_tables_to_appear_in_same_query_config = "none" to generate no allow_tables_to_appear_in_same_query! calls. (Default: "all_tables".). (#​4333)
  • Add [print_schema] pg_domains_as_custom_types parameter to generate custom types for PostgreSQL domains that matches any of the regexes in the given list. (Default: [].) This option allows an application to selectively give special meaning for the serialization/deserialization of these types, avoiding the default behavior of treating the domain as the underlying type. (#​4592)
  • Add support for batch insert and upsert statements with returning for SQLite
  • Add support for window functions and aggregate expressions.
Fixed
  • Fixed diesel thinking a.eq_any(b) was non-nullable even if a and b were nullable.
  • Generate InstrumentationEvent::BeginTransaction for immediate and exclusive transactions in SQLite
  • Use a single space instead of two spaces between DELETE FROM.
  • Diesel CLI now ensures that migration versions are always unique. If it fails to generate a unique version, it will return an error. The new version format remains compatible with older Diesel versions.
  • Updated ipnetwork to allow version 0.21.
Changed
  • Use distinct DIESEL_LOG logging filter env variable instead of the default RUST_LOG one (#​4575)
  • The minimal supported Rust version is now 1.86.0

v2.2.12

Compare Source

v2.2.11

Compare Source

v2.2.10

Compare Source

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • ""
  • Automerge
    • "after 8pm,before 6am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants