Audit all use of `push_sql` + `format!` within `nexus/db-queries` to prevent SQL Injection

[smklein]

Diesel uses the 'bind' method (See SqlQuery::bind for one example, but there are other variations) to ensure that variables within SQL statements are escaped property, avoiding SQL injection.

This is generally done automatically -- for a query like:

let data = animals
    .select(species)
    .filter(name.eq("; DROP TABLE USERS; "))
    .first::<String>(connection)?;

The argument to .eq is AsExpression, which treats this argument as data to be escaped before placing it in the query.

From the Diesel docs:

Implementations of [AsExpression] will generally...
... Indicate that the type has data which will be sent separately from the query. This is generally referred as a “bind parameter”. Types which implement ToSql will generally implement AsExpression this way.

That works through the ToSql trait, which basically encapsulates "how to shove a value into the protocol which gets sent to the DB".

For vanilla Diesel, this is fine, and this usage should not be susceptible to injection attacks -- preventing this is the responsibility of those ToSql and AsExpression traits.

However, nexus/db-queries has some spots where it constructs more complicated queries, relying on traits like QueryFragment to construct SQL queries from strings. Here's one such example:

omicron/nexus/db-queries/src/db/queries/vpc.rs

Lines 85 to 99 in 9a1f6bc

	impl QueryFragment<Pg> for InsertVpcQuery {
	fn walk_ast<'a>(
	&'a self,
	mut out: AstPass<'_, 'a, Pg>,
	) -> diesel::QueryResult<()> {
	out.push_sql("SELECT ");
	out.push_bind_param::<sql_types::Uuid, Uuid>(&self.vpc.identity.id)?;
	out.push_sql(" AS ");
	out.push_identifier(dsl::id::NAME)?;
	out.push_sql(", ");
	out.push_bind_param::<sql_types::Text, Name>(&self.vpc.identity.name)?;
	out.push_sql(" AS ");
	out.push_identifier(dsl::name::NAME)?;
	out.push_sql(", ");

Using this interface correctly means:

• All identifiers should be added with push_identifier
• All bind parameters should be added with push_bind_param
• All FULLY STATIC SQL should be added with push_sql.

Note that "fully static SQL" is not actually enforced by the type system -- if you wanted to add a string constructed via format! here, you could.

• Audit all usage of push_sql
• Write property tests to confirm that SQL injection via APIs is unlikely
• Document this property somewhere?

[smklein]

Looking for push_sql cases where the argument is not static...

In my opinion, these should all be patched, but I'm also trying to weigh-in on the risk-of-exploitation here, to help prioritize:

omicron/nexus/db-queries/src/db/true_or_cast_error.rs

Line 71 in 9a1f6bc

out.push_sql(self.error);

• self.error is a &'static str here, so the risk is pretty low, unless we actively chose to compile a SQL injection into our error messages.

omicron/nexus/db-queries/src/db/alias.rs

Line 81 in 9a1f6bc

out.push_sql(&self.name);

• self.name is also a &'static str, so again, the risk is low for the same reasons as the TrueOrCastError case.

omicron/nexus/db-queries/src/db/collection_attach.rs

Lines 520 to 523 in 9a1f6bc

	out.push_sql(
	&format!(" FROM resource_info) AND (SELECT * FROM resource_count) < {}, TRUE,FALSE)), ",
	self.max_attached_resources)
	);

• self.max_attached_resources is a u32, so though it could be "any" u32 from the point-of-view of the type system, it cannot be a string.

[smklein]

To tie this all together, I wrote up diesel-rs/diesel#3807 with a proposal for a more restrictive interface from Diesel.