Add fuzzing for sqlx (launchbadge/sqlx)#14894
Conversation
|
jrey8343 is integrating a new project: |
|
Update: Force-pushed to clean up commit history. The PR now contains only the sqlx integration (no clap). The previous bot comment is stale and will be updated when checks run. Current state:
|
SQLx is a popular async SQL toolkit for Rust supporting PostgreSQL, MySQL, and SQLite with 54.9M downloads and 1,503 reverse dependencies. This integration targets critical protocol parsing areas including: - MySQL binary protocol (RUSTSEC-2024-0363 vulnerability area) - PostgreSQL wire protocol parsing - Connection handshakes and authentication - Type deserialization from database results Security impact: Database protocol parsing is a critical attack surface. Prior vulnerabilities (RUSTSEC-2024-0363) demonstrate the need for continuous fuzzing of binary protocol handling. Contributed by: Jared Reyes (jrey8343@gmail.com)
Update: Security Bug Discovered and FixedThis fuzzing integration has successfully discovered and fixed 1 critical security bug in sqlx: JSONB Decoder Panic on Invalid Version Byte
Technical DetailsThe JSONB decoder contained an assertion that would panic when decoding a newline character. This has been fixed by replacing the assertion with proper error handling. Input that triggers bug: Single byte Fuzzing Infrastructure
Integration Status
This demonstrates the critical security value of fuzzing database type decoders. Contact: jaredreyespt@gmail.com |
CORRECTION: Coverage Requirement UpdateUpdated understanding of Ideal tier requirements:
Coverage Status
Will update with coverage report to confirm Ideal tier eligibility. Contact: jaredreyespt@gmail.com |
DavidKorczynski
left a comment
DavidKorczynski
left a comment
There was a problem hiding this comment.
Can you make sure you coordinate with maintainers before making these PRs? Could you also evaluate if the projects would benefit more from clusterfuzz lite to get things moving as a starter? This can be done easily in the upstream repositories and will be a good indicator if a given project wants to maintain a fuzzing set up.
|
Thanks for the feedback, David. You're absolutely right — I should have coordinated with the sqlx maintainers first. I've since reached out on the upstream PR (launchbadge/sqlx#4156) to discuss the best approach, including suggesting ClusterFuzzLite as a lighter-weight starting point they can run in their own CI. I'll hold off here until I have maintainer buy-in, and will update this PR accordingly. Appreciate the guidance. |
2 participants
Project Information
Repository: https://github.com/launchbadge/sqlx
Language: Rust
Downloads: 54.9M
Reverse Dependencies: 1,503
Estimated Criticality Score: 0.75-0.85 (high ecosystem impact)
Description
SQLx is an async SQL toolkit for Rust supporting PostgreSQL, MySQL, and SQLite. It's the most popular database library in the Rust ecosystem with widespread use across production systems.
Security Criticality
Fuzzing Targets
fuzz_mysql_lenenc: MySQL length-encoded integer parsing (RUSTSEC-2024-0363 vulnerability area)fuzz_mysql_row_binary: Binary protocol row parsing with null bitmapsfuzz_mysql_handshake: Connection handshake and authenticationfuzz_postgres_data_row: PostgreSQL data row parsingfuzz_postgres_response: Error/notice response parsingUpstream Integration
Upstream PR: launchbadge/sqlx#4156
Contributed by: Jared Reyes (jaredreyespt@gmail.com)