Potential security issue: Possible SQL injection in the SQLx implementation

[weiznich]

The current version of the tower-sessions-sqlx-store crate is vulnerable for sql injections as it uses format! on user provided potentially untrusted inputs:

https://github.com/maxcountryman/tower-sessions/blob/763133104290abb3fc4af6bbfd7a19609cb9fc39/sqlx-store/src/postgres_store.rs#L91

[maxcountryman]

Thanks for flagging this.

Somewhat orthogonal, but there's also an open issue related to how the database URL is parsed: #1

I'm open to reworking this entirely to ensure better security and UX.

[weiznich]

Given my previous interactions with this project I'm not willing to work on a fix. I mostly filled that issue so that users are aware of that issue. It also might be worth to fill a rustsec advisory for this soon.

[maxcountryman]

SQLite and Postgres are protected by their respective input sanitizers. For example:

called `Result::unwrap()` on an `Err` value: "Invalid table name '; drop table users;'. Table names must be alphanumeric and may contain hyphens or underscores."

And MySQL does not allow configuration of the schema or table names and instead they are hardcoded.