fix(ext/node): restrict ATTACH DATABASE statement (#28513)

littledivy · ry · commit 31a97803995b · 2025-03-20T20:55:43.000-07:00
Disable `ATTACH DATABASE` statement in `node:sqlite` since it is not
supervised by Deno's permission system
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -70,10 +70,10 @@ eszip = "0.83.0"
 napi_sym = { version = "0.125.0", path = "./ext/napi/sym" }
 test_util = { package = "test_server", path = "./tests/util/server" }
 
-denokv_proto = "0.9.0"
-denokv_remote = "0.9.0"
+denokv_proto = "0.10.0"
+denokv_remote = "0.10.0"
 # denokv_sqlite brings in bundled sqlite if we don't disable the default features
-denokv_sqlite = { default-features = false, version = "0.9.0" }
+denokv_sqlite = { default-features = false, version = "0.10.0" }
 
 # exts
 deno_broadcast_channel = { version = "0.189.0", path = "./ext/broadcast_channel" }
@@ -269,7 +269,7 @@ regex = "^1.7.0"
 reqwest = { version = "=0.12.5", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json", "http2"] } # pinned because of https://github.com/seanmonstar/reqwest/pull/1955
 ring = "^0.17.0"
 ripemd = "0.1.3"
-rusqlite = { version = "0.32.0", features = ["unlock_notify", "bundled", "session"] }
+rusqlite = { version = "0.34.0", features = ["unlock_notify", "bundled", "session", "modern_sqlite", "limits"] } # "modern_sqlite": need sqlite >= 3.49.0 for some db configs
 rustc-hash = "2.1.1"
 rustls = { version = "0.23.11", default-features = false, features = ["logging", "std", "tls12", "ring"] }
 rustls-pemfile = "2"
diff --git a/ext/node/Cargo.toml b/ext/node/Cargo.toml
@@ -57,7 +57,6 @@ idna.workspace = true
 ipnetwork.workspace = true
 k256.workspace = true
 libc.workspace = true
-libsqlite3-sys.workspace = true
 libz-sys.workspace = true
 md-5 = { workspace = true, features = ["oid"] }
 md4.workspace = true
diff --git a/ext/node/ops/sqlite/database.rs b/ext/node/ops/sqlite/database.rs
@@ -15,13 +15,18 @@ use deno_core::v8;
 use deno_core::GarbageCollected;
 use deno_core::OpState;
 use deno_permissions::PermissionsContainer;
+use rusqlite::ffi as libsqlite3_sys;
+use rusqlite::limits::Limit;
 use serde::Deserialize;
 
 use super::session::SessionOptions;
 use super::Session;
 use super::SqliteError;
 use super::StatementSync;
 
+const SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION: i32 = 1005;
+const SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE: i32 = 1021;
+
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct DatabaseSyncOptions {
@@ -61,31 +66,89 @@ pub struct DatabaseSync {
 
 impl GarbageCollected for DatabaseSync {}
 
+fn set_db_config(
+  conn: &rusqlite::Connection,
+  config: i32,
+  value: bool,
+) -> bool {
+  // SAFETY: call to sqlite3_db_config is safe because the connection
+  // handle is valid and the parameters are correct.
+  unsafe {
+    let mut set = 0;
+    let r = libsqlite3_sys::sqlite3_db_config(
+      conn.handle(),
+      config,
+      value as i32,
+      &mut set,
+    );
+
+    if r != libsqlite3_sys::SQLITE_OK {
+      panic!("Failed to set db config");
+    }
+
+    set == value as i32
+  }
+}
+
 fn open_db(
   state: &mut OpState,
   readonly: bool,
   location: &str,
 ) -> Result<rusqlite::Connection, SqliteError> {
   if location == ":memory:" {
-    return Ok(rusqlite::Connection::open_in_memory()?);
+    let conn = rusqlite::Connection::open_in_memory()?;
+    assert!(set_db_config(
+      &conn,
+      SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE,
+      false
+    ));
+    assert!(set_db_config(
+      &conn,
+      SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION,
+      false
+    ));
+
+    conn.set_limit(Limit::SQLITE_LIMIT_ATTACHED, 0)?;
+    return Ok(conn);
   }
 
   state
     .borrow::<PermissionsContainer>()
     .check_read_with_api_name(location, Some("node:sqlite"))?;
 
   if readonly {
-    return Ok(rusqlite::Connection::open_with_flags(
+    let conn = rusqlite::Connection::open_with_flags(
       location,
       rusqlite::OpenFlags::SQLITE_OPEN_READ_ONLY,
-    )?);
+    )?;
+    assert!(set_db_config(
+      &conn,
+      SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE,
+      false
+    ));
+    assert!(set_db_config(
+      &conn,
+      SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION,
+      false
+    ));
+
+    conn.set_limit(Limit::SQLITE_LIMIT_ATTACHED, 0)?;
+    return Ok(conn);
   }
 
   state
     .borrow::<PermissionsContainer>()
     .check_write_with_api_name(location, Some("node:sqlite"))?;
 
-  Ok(rusqlite::Connection::open(location)?)
+  let conn = rusqlite::Connection::open(location)?;
+  assert!(set_db_config(
+    &conn,
+    SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION,
+    false
+  ));
+  conn.set_limit(Limit::SQLITE_LIMIT_ATTACHED, 0)?;
+
+  Ok(conn)
 }
 
 // Represents a single connection to a SQLite database.
diff --git a/ext/node/ops/sqlite/session.rs b/ext/node/ops/sqlite/session.rs
@@ -7,7 +7,7 @@ use std::rc::Rc;
 
 use deno_core::op2;
 use deno_core::GarbageCollected;
-use libsqlite3_sys as ffi;
+use rusqlite::ffi;
 use serde::Deserialize;
 
 use super::SqliteError;
diff --git a/ext/node/ops/sqlite/statement.rs b/ext/node/ops/sqlite/statement.rs
@@ -8,7 +8,7 @@ use deno_core::op2;
 use deno_core::v8;
 use deno_core::v8::GetPropertyNamesArgs;
 use deno_core::GarbageCollected;
-use libsqlite3_sys as ffi;
+use rusqlite::ffi;
 use serde::Serialize;
 
 use super::SqliteError;
diff --git a/tests/unit_node/sqlite_test.ts b/tests/unit_node/sqlite_test.ts
@@ -153,6 +153,17 @@ Deno.test({
       );
       db.close();
     }
+    {
+      const db = new DatabaseSync(":memory:");
+      assertThrows(
+        () => {
+          db.exec("ATTACH DATABASE 'test.db' AS test");
+        },
+        Error,
+        "too many attached databases - max 0",
+      );
+      db.close();
+    }
   },
 });
 
