From 0bca63a28d757325fe3ba094ad9b7b6853b8d25c Mon Sep 17 00:00:00 2001 From: dannyneira <16809145+dannyneira@users.noreply.github.com> Date: Sat, 16 May 2026 16:13:21 +0000 Subject: [PATCH] fix: update diesel to resolve GHSA-h5x4-m2qf-r4f2 Co-Authored-By: Oz --- diesel/Cargo.toml | 4 +- diesel/src/connection/mod.rs | 2 +- diesel/src/lib.rs | 1 + diesel/src/sqlite/connection/sqlite_value.rs | 17 ++-- .../src/sqlite/types/date_and_time/chrono.rs | 96 +++++++++---------- diesel/src/sqlite/types/mod.rs | 2 +- diesel_cli/Cargo.toml | 4 +- diesel_derives/Cargo.toml | 2 +- diesel_derives/src/field.rs | 2 +- diesel_derives/src/meta.rs | 2 +- diesel_migrations/Cargo.toml | 2 +- .../migrations_macros/Cargo.toml | 2 +- diesel_tests/Cargo.toml | 2 +- 13 files changed, 66 insertions(+), 72 deletions(-) diff --git a/diesel/Cargo.toml b/diesel/Cargo.toml index 6da8b7be4d05..e5cbd86de2c4 100644 --- a/diesel/Cargo.toml +++ b/diesel/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "diesel" -version = "2.0.0" +version = "2.3.8" authors = ["Sean Griffin "] license = "MIT OR Apache-2.0" description = "A safe, extensible ORM and Query Builder for PostgreSQL, SQLite, and MySQL" @@ -16,7 +16,7 @@ edition = "2018" byteorder = "1.0" chrono = { version = "0.4.19", optional = true, default-features = false, features = ["clock", "std"] } libc = { version = "0.2.0", optional = true } -libsqlite3-sys = { version = ">=0.8.0, <0.24.0", optional = true, features = ["bundled_bindings"] } +libsqlite3-sys = { version = ">=0.25.1, <0.38.0", optional = true, features = ["bundled_bindings"] } mysqlclient-sys = { version = "0.2.0", optional = true } pq-sys = { version = "0.4.0", optional = true } quickcheck = { version = "0.9.0", optional = true } diff --git a/diesel/src/connection/mod.rs b/diesel/src/connection/mod.rs index 86ee9cc760c7..05aa8e3422c6 100644 --- a/diesel/src/connection/mod.rs +++ b/diesel/src/connection/mod.rs @@ -234,7 +234,7 @@ where } } -impl dyn BoxableConnection { +impl dyn BoxableConnection { /// Downcast the current connection to a specific connection /// type. /// diff --git a/diesel/src/lib.rs b/diesel/src/lib.rs index b3ff94074057..9fb0c75467e7 100644 --- a/diesel/src/lib.rs +++ b/diesel/src/lib.rs @@ -94,6 +94,7 @@ #![cfg_attr(feature = "unstable", feature(trait_alias))] // Built-in Lints #![deny(warnings)] +#![allow(ambiguous_glob_reexports)] #![warn( missing_debug_implementations, missing_copy_implementations, diff --git a/diesel/src/sqlite/connection/sqlite_value.rs b/diesel/src/sqlite/connection/sqlite_value.rs index 7707e95e64d6..caf2852b4fc5 100644 --- a/diesel/src/sqlite/connection/sqlite_value.rs +++ b/diesel/src/sqlite/connection/sqlite_value.rs @@ -66,26 +66,20 @@ impl<'a, 'b> SqliteValue<'a, 'b> { } } - pub(crate) fn parse_string<'c, R>(&'c self, f: impl FnOnce(&'c str) -> R) -> R { + pub(crate) fn read_text(&self) -> Result<&str, str::Utf8Error> { let s = unsafe { let ptr = ffi::sqlite3_value_text(self.value.as_ptr()); let len = ffi::sqlite3_value_bytes(self.value.as_ptr()); let bytes = slice::from_raw_parts(ptr as *const u8, len as usize); - // The string is guaranteed to be utf8 according to - // https://www.sqlite.org/c3ref/value_blob.html - str::from_utf8_unchecked(bytes) + str::from_utf8(bytes) }; - f(s) - } - - pub(crate) fn read_text(&self) -> &str { - self.parse_string(|s| s) + s } pub(crate) fn read_blob(&self) -> &[u8] { unsafe { - let ptr = ffi::sqlite3_value_blob(self.value.as_ptr()); let len = ffi::sqlite3_value_bytes(self.value.as_ptr()); + let ptr = ffi::sqlite3_value_blob(self.value.as_ptr()); if len == 0 { // rusts std-lib has an debug_assert that prevents creating // slices without elements from a pointer @@ -120,7 +114,8 @@ impl<'a, 'b> SqliteValue<'a, 'b> { _ => unreachable!( "Sqlite's documentation state that this case ({}) is not reachable. \ If you ever see this error message please open an issue at \ - https://github.com/diesel-rs/diesel." + https://github.com/diesel-rs/diesel.", + tpe ), } } diff --git a/diesel/src/sqlite/types/date_and_time/chrono.rs b/diesel/src/sqlite/types/date_and_time/chrono.rs index fa8867a031cc..a9bc715ca3d3 100644 --- a/diesel/src/sqlite/types/date_and_time/chrono.rs +++ b/diesel/src/sqlite/types/date_and_time/chrono.rs @@ -13,9 +13,8 @@ const SQLITE_DATE_FORMAT: &str = "%F"; impl FromSql for NaiveDate { fn from_sql(value: backend::RawValue) -> deserialize::Result { - value - .parse_string(|s| Self::parse_from_str(s, SQLITE_DATE_FORMAT)) - .map_err(Into::into) + let text = value.read_text()?; + Self::parse_from_str(text, SQLITE_DATE_FORMAT).map_err(Into::into) } } @@ -28,21 +27,20 @@ impl ToSql for NaiveDate { impl FromSql for NaiveTime { fn from_sql(value: backend::RawValue) -> deserialize::Result { - value.parse_string(|text| { - let valid_time_formats = &[ - // Most likely - "%T%.f", // All other valid formats in order of documentation - "%R", "%RZ", "%T%.fZ", "%R%:z", "%T%.f%:z", - ]; - - for format in valid_time_formats { - if let Ok(time) = Self::parse_from_str(text, format) { - return Ok(time); - } + let text = value.read_text()?; + let valid_time_formats = &[ + // Most likely + "%T%.f", // All other valid formats in order of documentation + "%R", "%RZ", "%T%.fZ", "%R%:z", "%T%.f%:z", + ]; + + for format in valid_time_formats { + if let Ok(time) = Self::parse_from_str(text, format) { + return Ok(time); } + } - Err(format!("Invalid time {}", text).into()) - }) + Err(format!("Invalid time {}", text).into()) } } @@ -55,43 +53,43 @@ impl ToSql for NaiveTime { impl FromSql for NaiveDateTime { fn from_sql(value: backend::RawValue) -> deserialize::Result { - value.parse_string(|text| { - let sqlite_datetime_formats = &[ - // Most likely format - "%F %T%.f", - // Other formats in order of appearance in docs - "%F %R", - "%F %RZ", - "%F %R%:z", - "%F %T%.fZ", - "%F %T%.f%:z", - "%FT%R", - "%FT%RZ", - "%FT%R%:z", - "%FT%T%.f", - "%FT%T%.fZ", - "%FT%T%.f%:z", - ]; - - for format in sqlite_datetime_formats { - if let Ok(dt) = Self::parse_from_str(text, format) { - return Ok(dt); - } + let text = value.read_text()?; + let sqlite_datetime_formats = &[ + // Most likely format + "%F %T%.f", + // Other formats in order of appearance in docs + "%F %R", + "%F %RZ", + "%F %R%:z", + "%F %T%.fZ", + "%F %T%.f%:z", + "%FT%R", + "%FT%RZ", + "%FT%R%:z", + "%FT%T%.f", + "%FT%T%.fZ", + "%FT%T%.f%:z", + ]; + + for format in sqlite_datetime_formats { + if let Ok(dt) = Self::parse_from_str(text, format) { + return Ok(dt); } + } - if let Ok(julian_days) = text.parse::() { - let epoch_in_julian_days = 2_440_587.5; - let seconds_in_day = 86400.0; - let timestamp = (julian_days - epoch_in_julian_days) * seconds_in_day; - let seconds = timestamp as i64; - let nanos = (timestamp.fract() * 1E9) as u32; - if let Some(timestamp) = Self::from_timestamp_opt(seconds, nanos) { - return Ok(timestamp); - } + if let Ok(julian_days) = text.parse::() { + let epoch_in_julian_days = 2_440_587.5; + let seconds_in_day = 86400.0; + let timestamp = (julian_days - epoch_in_julian_days) * seconds_in_day; + let seconds = timestamp as i64; + let nanos = (timestamp.fract() * 1E9) as u32; + #[allow(deprecated)] + if let Some(timestamp) = Self::from_timestamp_opt(seconds, nanos) { + return Ok(timestamp); } + } - Err(format!("Invalid datetime {}", text).into()) - }) + Err(format!("Invalid datetime {}", text).into()) } } diff --git a/diesel/src/sqlite/types/mod.rs b/diesel/src/sqlite/types/mod.rs index 3d96ae2c6206..be91373d6423 100644 --- a/diesel/src/sqlite/types/mod.rs +++ b/diesel/src/sqlite/types/mod.rs @@ -16,7 +16,7 @@ use crate::sql_types; /// `FromSql` impl FromSql for *const str { fn from_sql(value: SqliteValue<'_, '_>) -> deserialize::Result { - let text = value.read_text(); + let text = value.read_text()?; Ok(text as *const _) } } diff --git a/diesel_cli/Cargo.toml b/diesel_cli/Cargo.toml index 9bc80b7a2979..5d0abce6005a 100644 --- a/diesel_cli/Cargo.toml +++ b/diesel_cli/Cargo.toml @@ -26,13 +26,13 @@ heck = "0.3.1" serde = { version = "1.0.0", features = ["derive"] } toml = "0.5" url = { version = "2.1.0", optional = true } -libsqlite3-sys = { version = ">=0.8.0, <0.24.0", optional = true, features = ["min_sqlite_version_3_7_16"] } +libsqlite3-sys = { version = ">=0.25.1, <0.38.0", optional = true, features = ["min_sqlite_version_3_7_16"] } diffy = "0.2.0" regex = "1.0.6" serde_regex = "1.1" [dependencies.diesel] -version = "~2.0.0" +version = "~2.3.8" path = "../diesel" default-features = false diff --git a/diesel_derives/Cargo.toml b/diesel_derives/Cargo.toml index 7df9b103d8c8..f6ba3f1acec7 100644 --- a/diesel_derives/Cargo.toml +++ b/diesel_derives/Cargo.toml @@ -20,7 +20,7 @@ cfg-if = "1" dotenv = "0.15" [dev-dependencies.diesel] -version = "~2.0.0" +version = "~2.3.8" path = "../diesel" [lib] diff --git a/diesel_derives/src/field.rs b/diesel_derives/src/field.rs index 9bfe979f1b6c..b6aa2b6def9d 100644 --- a/diesel_derives/src/field.rs +++ b/diesel_derives/src/field.rs @@ -100,7 +100,7 @@ impl Field { } } - pub fn ty_for_deserialize(&self) -> Result, Diagnostic> { + pub fn ty_for_deserialize(&self) -> Result, Diagnostic> { if let Some(meta) = self.flags.nested_item("deserialize_as")? { meta.ty_value().map(Cow::Owned) } else { diff --git a/diesel_derives/src/meta.rs b/diesel_derives/src/meta.rs index 976c44d337a4..23b20a88c4fb 100644 --- a/diesel_derives/src/meta.rs +++ b/diesel_derives/src/meta.rs @@ -149,7 +149,7 @@ impl MetaItem { } } - pub fn nested(&self) -> Result { + pub fn nested(&self) -> Result, Diagnostic> { use syn::Meta::*; match self.meta { diff --git a/diesel_migrations/Cargo.toml b/diesel_migrations/Cargo.toml index 7af4954240e9..2c38d7b7a0ab 100644 --- a/diesel_migrations/Cargo.toml +++ b/diesel_migrations/Cargo.toml @@ -22,7 +22,7 @@ cfg-if = "1.0.0" tempfile = "3.2" [dependencies.diesel] -version = "~2.0.0" +version = "~2.3.8" path = "../diesel" default-features = false diff --git a/diesel_migrations/migrations_macros/Cargo.toml b/diesel_migrations/migrations_macros/Cargo.toml index 0a4d5f010cde..157116ad0ce0 100644 --- a/diesel_migrations/migrations_macros/Cargo.toml +++ b/diesel_migrations/migrations_macros/Cargo.toml @@ -21,7 +21,7 @@ dotenv = "0.15" cfg-if = "1.0.0" [dev-dependencies.diesel] -version = "~2.0.0" +version = "~2.3.8" path = "../../diesel" default-features = false diff --git a/diesel_tests/Cargo.toml b/diesel_tests/Cargo.toml index 21a1be80b4c6..8a9f5826025b 100644 --- a/diesel_tests/Cargo.toml +++ b/diesel_tests/Cargo.toml @@ -19,7 +19,7 @@ serde_json = { version=">=0.9, <2.0" } ipnetwork = ">=0.12.2, <0.19.0" bigdecimal = ">= 0.0.13, < 0.4.0" rand = "0.7" -libsqlite3-sys = { version = "0.23", optional = true } +libsqlite3-sys = { version = ">=0.25.1, <0.38.0", optional = true } [features] default = []