github.com/jackc/pgx known bugs

### Impact SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. ### Patches The problem is resolved in v4.18.2 and v5.5.4. ### Workarounds Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

### Impact SQL injection can occur when all of the following conditions are met: 1. The non-default simple protocol is used. 2. A placeholder for a numeric value must be immediately preceded by a minus. 3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. 4. Both parameter values must be user-controlled. e.g. Simple mode must be enabled: ```go // connection string includes "prefer_simple_protocol=true" // or // directly enabled in code config.ConnConfig.PreferSimpleProtocol = true ``` Parameterized query: ```sql SELECT * FROM example WHERE result=-$1 OR name=$2; ``` Parameter values: `$1` => `-42` `$2` => `"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"` Resulting query after preparation: ```sql SELECT * FROM example WHERE result=--42 OR name= 'foo 1 AND 1=0 UNION SELECT * FROM secrets; --'; ``` ### Patches The problem is resolved in v4.18.2. ### Workarounds Do not use the simple protocol or do not place a minus directly before a placeholder.

An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.

SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.