fix(deps): update rust crate diesel to v2 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
diesel (source)	dependencies	major	1.4.8 -> 2.2.3

GitHub Vulnerability Alerts

GHSA-wq9x-qwcq-mmgf

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)
Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears Diesel does perform truncating casts in a way that could be problematic,
for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.

Mitigation

The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Diesel now uses #[deny] directives for the following Clippy lints:

• cast_possible_truncation
• cast_possible_wrap
• cast_sign_loss

to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.

A fix is included in the 2.2.3 release.

---

Release Notes

diesel-rs/diesel (diesel)

v2.2.3: Diesel 2.2.3

Compare Source

• Support for libsqlite3-sys 0.30.0
• Fixed a possible vulnerability in how Diesel handled protocol level bind parameters.
  See the SQL Injection isn't Dead: Smuggling Queries at Protocol Level presentation from DEF CON for details
• Fixed an issue with a possibly ambiguous trait resolution in #[derive(QueryableByName)]

You can support the development of diesel by contributions or by sponsoring the project on Github.

Full Changelog: diesel-rs/diesel@v2.2.2...v2.2.3

v2.2.2

Compare Source

Fixed

• Support for libsqlite3-sys 0.29.0
• Fixed a potential panic in the sqlite cursor implementation
• Fixed support for rust numeric operators with columns of the type Numeric
• Removed the SerializedDatabase::new function due to unsoundness

v2.2.1

Compare Source

v2.2.0

Compare Source

Added

• Support [print_schema] except_custom_type_definitions = ["Vector"]. If a custom type matches one element on the list it's skipped.
• Added automatic usage of all sqlite rowid aliases when no explicit primary key is defined for print-schema
• Added a #[dsl::auto_type] attribute macro, allowing to infer type of query fragment functions
• Added the same type inference on Selectable derives, which allows skipping specifying select_expression_type most of the time, in turn enabling most queries to be written using just a Selectable derive.
• Added an optional #[diesel(skip_insertion)] field attribute to the Insertable derive macro, allowing fields which map to generated columns to be skipped during insertion.
• Support for connection instrumentation. This allows to inspect any query run by your application
• Logging in diesel-cli
• Support for libsqlite3-sys 0.28
• Add sqlite-integer-primary-key-is-bigint configuration option, usable with SQLite 3.37 or above, allowing to use BigInt for INTEGER PRIMARY KEY columns in SQLite for tables without the WITHOUT ROWID attribute (SQLite doc).
• Support for multiple print_schema entry in diesel.toml (e.g. [print_schema.user1]), which allows generating multiple schema.rs files
• Add support for COPY TO and COPY FROM statements
• Add support for mapping chrono::Duration to postgresql's INTERVAL sql type
• Added serialize_database_to_buffer and deserialize_readonly_database_from_buffer methods in SqliteConnection to support serialization/deserialization of SQLite databases to and from byte buffers.
• Added SerializedDatabase wrapper type for a serialized database that is dynamically allocated by calling serialize_database_to_buffer. This RAII wrapper deallocates the memory when it goes out of scope with sqlite3_free.

Changed

• The minimal officially supported rustc version is now 1.78.0
• Deprecated sql_function! in favour of define_sql_function! which provides compatibility with #[dsl::auto_type]
• Deserialization error messages now contain information about the field that failed to deserialize

v2.1.6

Compare Source

• Fix using BoxableExpression with having clauses
• Fix using numeric expressions with aliased fields
• Minor documentation fixes

v2.1.5

Compare Source

• Fix impl SqlOrd postgres > postgres_backend feature flag.
• Allow Queryable to be used with multiple table names.
• Fix an inconsistent unit test
• Fix a clippy lint
• Fix ./bin/test feature flag calls.
• Update libsqlite3-sys to allow version 0.28 as well

v2.1.4

Compare Source

• Update libsqlite3-sys to allow version 0.27 as well

v2.1.3

Compare Source

• Increased accidently decreased limit around element count in DISTINCT ON and ORDER BY clauses again as that broke existing code

v2.1.2

Compare Source

v2.1.1

Compare Source

v2.1.0

Compare Source

Changed

• The minimal officially supported rustc version is now 1.65.0

Added

• Added the custom_type_derives config option to customize the derives for SQL
  type definitions automatically generated by Diesel CLI.
• Add a #[derive(MultiConnection)] proc-macro that lets you easily implement diesel::Connection
  for an enum of connections to different database backends.
• Added a --diff-schema flag to the diesel migration generate command that generates a migration based
  on the difference between your database and the provided schema.rs file
• Add a ON CONFLICT (...) DO UPDATE ... [WHERE ...] conditional clause support for PostgreSQL.
• Add support for MySQL's ON DUPLICATE KEY DO UPDATE syntax through the existing upsert functions.
• Add ability to define multiple columns in a single distinct_on for PostgreSQL,
  like: .distinct_on((column_a, column_b)).
• Added column size restrictions to the generated schema.rs file

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

Fixed

• Fixed an issue with diesel_cli generating incompatible type names for the generate_missing_sql_type_definitions feature on PostgreSQL
• Fixed an issue how diesel_cli handles sqlite urls while checking if a given database exists
• Fixed an issue with PgConnection becoming unusable after hitting a database error in certain situations
• Fixed an issue with diesel generating invalid SQL for certain INSERT … ON CONFLICT queries
• Fixed diesel_derives generating code that triggers the disabled by default unused_qualifications lint

v2.0.0

Compare Source

Added

• MysqlConnection::establish is able to initiate an SSL connection while specifying certificate roots. The database URL should contain an ssl_ca parameter with a path pointing to the certificate roots. See docs if desired.

• MysqlConnection::establish is able to initiate an SSL connection. The database URL should contain ssl_mode parameter with a value of the MySQL client command option --ssl-mode if desired.

• Connection and SimpleConnection traits are implemented for a broader range
  of r2d2::PooledConnection<M> types when the r2d2 feature is enabled.

• Added DatabaseErrorKind::ReadOnlyTransaction to allow applications to
  handle errors caused by writing when only allowed to read.

• All expression methods can now be called on expressions of nullable types.

• Added BoxedSqlQuery. This allows users to do a variable amount of .sql or
  .bind calls without changing the underlying type.

• Added .sql to SqlQuery and UncheckedBind to allow appending SQL code to
  an existing query.

• The MacAddr SQL type can now be used without enabling the network-address
  feature.

• Added support for SQLite's UPSERT.
  You can use this feature above SQLite version 3.24.0.

• Added ability to create custom aggregate functions in SQLite.

• Multiple aggregate expressions can now appear together in the same select
  clause. See the upgrade notes for details.

• ValidGrouping has been added to represent whether an expression is valid for
  a given group by clause, and whether or not it's aggregate. It replaces the
  functionality of NonAggregate. See the upgrade
  notes for details.

• It is now possible to inspect the type of values returned from the database
  in such a way to support constructing a dynamic value depending on this type.

• Added a without-deprecated feature that unconditionally disables deprecated items.
  Use this feature flag to verify that none of your dependencies is setting
  the with-deprecated flag internally.

• Added support for PostgreSQL's SIMILAR TO and NOT SIMILAR TO.

• Added #[diesel(serialize_as)] analogous to #[diesel(deserialize_as)]. This allows
  customization of the serialization behaviour of Insertable and AsChangeset structs.

• Added support for GROUP BY clauses

• Added support for UNION, UNION ALL, INTERSECT, INTERSECT ALL, EXCEPT, EXCEPT ALL clauses

• Added the error position for PostgreSQL errors

• Added ability to create custom collation functions in SQLite.

• Added support for SQLite's IS and IS NOT.

• Add support for HAVING clauses.

• Added support for SQL functions without arguments for SQLite.

• Diesel CLI will now generate SQL type definitions for SQL types that are not supported by diesel out of the box. It's possible to disable this behavior via the generate_missing_sql_type_definitions config option.

• Added an option to #[derive(Insertable)] that let you insert NULL values instead of DEFAULT values for Option<T>

• Added support for all the derive attributes being inside #[diesel(...)]

• Added support for RETURNING expressions for Sqlite via the returning_clauses_for_sqlite_3_35 feature

• Added support for table aliasing via the alias! macro

• Added support for the usage of slices of references with belonging_to from BelongingToDsl

• Added support for updating individual array elements UPDATE table SET array_column[1] = true

• Adds an ipnet-address feature flag, allowing support (de)serializing IP
  values from the database using types provided by ipnet. This feature
  may be enabled concurrently with the previously existing network-address
  feature.

• We've added support for loading values using libpq's row-by-row mode via
  the new iterator interface

• Adds Timestamp, Timestamptz support for appropriate types for time v0.3.9.
  This feature enables using the time crate as an alternative to chrono.

Removed

• All previously deprecated items have been removed.
• Support for uuid version < 0.7.0 has been removed.
• Support for bigdecimal < 0.0.13 has been removed.
• Support for pq-sys < 0.4.0 has been removed.
• Support for mysqlclient-sys < 0.2.5 has been removed.
• Support for time (0.1) types has been removed.
• Support for chrono < 0.4.19 has been removed.
• The minimal supported version of libsqlite3-sys is now 0.17.2.
• The NonNull trait for sql types has been removed in favour of the new SqlType trait.
• no_arg_sql_function! has been deprecated without replacement.
  [sql_function!][sql-function-2-0-0] can now be used for functions with zero
  arguments. See the migration guide for more details.
• Support for barrel based migrations has been removed for now. We are happy to
  add this support back as soon as barrel integrates with our new migration framework.
• The deprecated bash completions command (diesel bash-completions) has been removed.
  Use diesel completions <shell> instead.

Changed

• The minimal officially supported rustc version is now 1.56.0

• Interacting with a database requires a mutable connection.

• The way the Backend trait handles its RawValue type has
  been changed to allow non-references. Users of this type (e.g. code written
  &DB::RawValue or &<DB as Backend>::RawValue>) should use
  backend::RawValue<DB> instead. Implementors of Backend
  should check the relevant section of the migration guide.

• The type metadata for MySQL has been changed to include sign information. If
  you are implementing HasSqlType for Mysql manually, you may need to adjust
  your implementation to fully use the new unsigned variants in MysqlType

• The RawValue types for the Mysql and Postgresql backend where changed
  from [u8] to distinct opaque types. If you used the concrete RawValue type
  somewhere you need to change it to mysql::MysqlValue or pg::PgValue.

• The uuidv07 feature was renamed to uuid, due to the removal of support for older uuid versions

• Boxed queries (constructed from .into_boxed()) are now Send.

• The handling of mixed aggregate values is more robust. Invalid queries such as
  .select(max(id) + other_column) are now correctly rejected, and valid
  queries such as .select((count_star(), max(other_column))) are now correctly
  accepted. For more details, see the migration guide.

• NonAggregate is now a trait alias for ValidGrouping<()> for expressions
  that are not aggregate. On stable this is a normal trait with a blanket impl,
  but it should never be implemented directly. With the unstable feature, it
  will use trait aliases which prevent manual implementations.

  Due to language limitations, we cannot make the new trait alias by itself
  represent everything it used to, so in some rare cases code changes may be
  required. See the migration guide for details.

• Various __NonExhaustive variants in different (error-) enums are replaced with
  #[non_exhaustive]. If you matched on one of those variants explicitly you need to
  introduce a wild card match instead.

• FromSql::from_sql is changed to construct value from non nullable database values.
  To construct a rust value for nullable values use the new FromSql::from_nullable_sql
  method instead.

• Custom sql types are now required to implement the new SqlType trait. Diesel will
  automatically create implementations of that trait for all types having a #[derive(SqlType)]

• The workflow for manually implementing support custom types has changed. Implementing
  FromSqlRow<ST, DB> is not required anymore, as this is now implied by implementing
  FromSql<ST, DB>. The requirement of implementing Queryable<ST, DB> remains
  unchanged. For types using #[derive(FromSqlRow)] no changes are required as the
  derive automatically generates the correct code

• The structure of our deserialization trait has changed. Loading values from the database
  requires now that the result type implements FromSqlRow<ST, DB>. Diesel provides wild
  card implementations for types implementing Queryable<ST, DB> or QueryableByName<DB>
  so non generic code does not require any change. For generic code you likely need to
  replace a trait bound on Queryable<ST, DB> with a trait bound on FromSqlRow<ST, DB>
  and a bound to QueryableByName<DB> with FromSqlRow<Untyped, DB>.

• CLI flags of only-tables and except-tables are now interpreted as regular expressions.
  Similarly, only_tables and except_tables in diesel.toml are treated as regular expressions.

• Now you can sort column fields by name with the column-sorting option.
  It can be set to either ordinal_position (default) or name.
  This ensures stable sorting even if columns are removed and re-added.

• The Queryable<ST,DB> trait was updated to be made faillible, in order to properly handle
  cases where you detect a data inconsistency between fields on deserialization
  (that e.g. was supposed to be made impossible by DB CHECKs). The build function now
  returns a
  diesel::deserialize::Result<Self>
  instead of a Self.

• TypeMetadata::MetadataLookup is now ?Sized.

• Multiple implementations of Connection<Backend=Pg> are now possible
  because of the new PgMetadataLookup trait.

• For the Pg backend, TypeMetadata::MetadataLookup has changed to dyn PgMetadataLookup.

• Diesel's migration framework was rewritten from the ground. Existing migrations continue to
  be compatible with the rewrite, but code calling into diesel_migrations requires an update.
  See the migration guide for details.

• eq_any() now emits a = ANY() expression for the postgresql backend instead of IN()

• ne_all() now emits a != ALL() expression for the postgresql backend instead of NOT IN()

• The sqlite backend now uses a single batch insert statement if there are now default values present
  in the values clause

• The MySQL connection is using the CLIENT_FOUND_ROWS from now on. This means that updating rows without changing any values will return the number of matched rows (like most other SQL servers do), as opposed to the number of changed rows.

• The definition of ToSql::to_sql and QueryFragment::walk_ast has changed to allow serializing values without
  copying the value itself. This is useful for database backends like sqlite where you can directly share a buffer
  with the database. Beside of the changed signature, existing impls of this trait should remain unchanged in almost
  all cases.

• The PIPES_AS_CONCAT sql_mode is no longer set
  by default. This setting requires a modification to MySQL query parsing that is
  not supported by certain systems (such as Vitess). If you are using MySQL and
  executing raw queries with the || operator, you will need to rewrite your
  queries or set PIPES_AS_CONCAT manually.

Fixed

• Many types were incorrectly considered non-aggregate when they should not
  have been. All types in Diesel are now correctly only considered
  non-aggregate if their parts are.

• Offset clauses without limit clauses resulted into invalid sql using the mysql or
  sqlite backend. Both do not support such clauses without a preceding limit clause.
  For those backend Diesel does now generate a fake limit clause in case no explicit
  limit clause was given. As consequence of this change generic query code may
  require additional trait bounds as requested from the compiler. Third party
  backends are required to explicitly provide QueryFragment impls for
  LimitOffsetClause<L, O> now.

• Nullability requirements are now properly enforced for nested joins.
  Previously, only the rules for the outer-most join were considered. For
  example, users.left_join(posts).left_join(comments) would allow selecting
  any columns from posts. That will now fail to compile, and any selections
  from posts will need to be made explicitly nullable.

• Diesel CLI will now look for diesel.toml to determine the project root
  before looking for Cargo.toml.

• Any relative paths in diesel.toml will now be treated as relative to the
  project root (the directory containing either diesel.toml or Cargo.toml).
  They are no longer dependent on the current working directory (for all
  directories in the same project)

• The SQLite backend is now configured to interpret URIs.
  See the SQLite URI documentation for additional details.

• We've refactored our type translation layer for Mysql to handle more types now.

• We've refactored our type level representation of nullable values. This allowed us to
  fix multiple long standing bugs regarding the correct handling of nullable values in some
  corner cases (#​104, #​2274)

• Parenthesis are now inserted around all infix operations provided by diesel's ExpressionMethods traits

• Queries containing a distinct on clause check now on compile time that a compatible order clause was set.

• Implementations of custom SQLite SQL functions now check for panics

• diesel print-schema now generates Array<Nullable<ST>> rather than Array<ST> for Postgres Array types. Existence of
  NULL values in database arrays would previously result in deserialization errors. Non-nullable arrays are now opt
  in (by schema patching).

Deprecated

• All the diesel derive attributes that are not inside #[diesel(...)]

• diesel_(prefix|postfix|infix)_operator! have been deprecated. These macros
  are now available without the diesel_ prefix. With Rust 2018 they can be
  invoked as diesel::infix_operator! instead.

• diesel::pg::upsert has been deprecated to support upsert queries on more than one backend.
  Please use diesel::upsert instead.

• diesel::dsl::any and diesel::dsl::all are now deprecated in
  favour of ExpressionMethods::eq_any() and ExpressionMethods::ne_all()

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/whirl_db/Cargo.toml --workspace
error: current package believes it's in a workspace when it's not:
current:   /tmp/renovate/repos/github/Whirlsplash/whirl/crates/whirl_db/Cargo.toml
workspace: /tmp/renovate/repos/github/Whirlsplash/whirl/Cargo.toml

this may be fixable by adding `crates/whirl_db` to the `workspace.members` array of the manifest located at: /tmp/renovate/repos/github/Whirlsplash/whirl/Cargo.toml
Alternatively, to keep it out of the workspace, add the package to the `workspace.exclude` array, or add an empty `[workspace]` table to the package's manifest.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.