Skip to content

fix: assert dynamic sqlx query safety#342

Closed
l50 wants to merge 12 commits into
dreadnode:mainfrom
l50:fix/sqlx-09-sql-safety
Closed

fix: assert dynamic sqlx query safety#342
l50 wants to merge 12 commits into
dreadnode:mainfrom
l50:fix/sqlx-09-sql-safety

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 22, 2026

Key Changes:

  • Wrapped dynamically constructed SQL queries with sqlx safety assertions
  • Preserved parameter binding for all user-controlled values to maintain injection safety
  • Documented why dynamic credential hash queries are safe to assert

Added:

  • Explicit SQL safety assertions for history cost, list, credential search, and hash search queries
  • Inline safety rationale for dynamically built historical hash queries, clarifying that SQL fragments are static and user input remains bound

Changed:

  • Dynamic query execution now uses AssertSqlSafe instead of passing raw query strings directly to sqlx query_as
  • Historical query paths continue using bind parameters while satisfying sqlx requirements for runtime-built SQL strings

l50 and others added 12 commits May 21, 2026 14:31
@l50
ci(renovate): enable fork processing on l50/ares
34d1df3 
Renovate skips forks by default. l50/ares is the production target for
this workflow run, so opt in via RENOVATE_FORK_PROCESSING=enabled.
@l50
feat: add remote hashcat backend support (#9)
e8b95f9 
**Key Changes:**

- Added optional remote cracking mode that delegates hashcat jobs to an HTTP service when configured
- Implemented authenticated job submission, polling, timeout handling, and potfile retrieval for remote jobs
- Preserved local hashcat execution as the default path when remote service configuration is absent
- Scoped remote execution to simple wordlist attacks so service-owned GPU and wordlist resources remain isolated

**Added:**

- Remote hashcat client module - Adds HTTP integration for submitting jobs, polling job status, retrieving cracked results, handling bearer authentication, and normalizing local wordlist paths to remote-safe basenames
- Remote service configuration support - Enables remote mode through HASHCAT_SERVICE_URL and requires HASHCAT_TOKEN for authenticated requests
- Remote result handling - Returns crackd logs, potfile contents, remote errors, exit codes, and timeout failures through the existing ToolOutput structure

**Changed:**

- Hashcat cracking flow - Updates crack_with_hashcat to check for remote service configuration first and delegate to the remote backend when available, while keeping the existing local hashcat behavior unchanged otherwise
@l50
ci: rebuild templates when rust ares sources change (#10)
b012a14
@l50
ci: automerge non-major renovate updates
a1e9497 
**Added:**

- Renovate package rule to automerge patch and minor Cargo, Ansible Galaxy, Galaxy collection, and pre-commit updates via PR - .github/renovate.json5
@ares-renovate
chore(deps): update rust crate local-ip-address to v0.6.13 (#1)
338f346 
| datasource | package          | from   | to     |
| ---------- | ---------------- | ------ | ------ |
| crate      | local-ip-address | 0.6.12 | 0.6.13 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@ares-renovate
chore(deps): update rust crate serde_json to v1.0.150 (#2)
2d71f45 
| datasource | package    | from    | to      |
| ---------- | ---------- | ------- | ------- |
| crate      | serde_json | 1.0.149 | 1.0.150 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@ares-renovate
chore(deps): update dependency ansible-core to v2.21.0 (#3)
aeb91d4 
| datasource | package      | from   | to     |
| ---------- | ------------ | ------ | ------ |
| pypi       | ansible-core | 2.20.5 | 2.21.0 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@ares-renovate
chore(deps): update dependency ansible.posix to v2.2.0 (#4)
6a7458a 
| datasource        | package       | from  | to    |
| ----------------- | ------------- | ----- | ----- |
| galaxy-collection | ansible.posix | 2.1.0 | 2.2.0 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@ares-renovate
chore(deps): update rust crate sqlx to 0.9 (#5)
b5a797d 
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| crate      | sqlx    | 0.8.6 | 0.9.0 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@ares-renovate
chore(deps): update dependency community.general to v13 (#7)
2df7064 
| datasource        | package           | from   | to     |
| ----------------- | ----------------- | ------ | ------ |
| galaxy-collection | community.general | 12.6.1 | 13.0.0 |

Co-authored-by: ares-renovate[bot] <286782180+ares-renovate[bot]@users.noreply.github.com>
@l50
chore: remove opentelemetry renovate version cap
a062dbf 
**Removed:**

- Removed the temporary Renovate allowedVersions cap that blocked opentelemetry Rust crates from updating to 0.32 and later versions
@l50
fix: assert safety for dynamic sqlx history queries
a50493a 
**Changed:**

- Wrapped dynamically assembled history queries with `AssertSqlSafe` so sqlx accepts SQL built from static fragments with bound user values - `ares-cli/src/history`
- Documented and applied the same safety assertion to credential hash search queries that construct placeholder lists dynamically - `ares-core/src/persistent_store/queries/credentials.rs`
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added area/pre-commit Changes made to pre-commit hooks area/github Changes made to GitHub Actions workflows labels May 22, 2026
@l50
Copy link
Copy Markdown
Contributor Author

l50 commented May 22, 2026

Wrong target repo — closing and opening against l50/ares

@l50 l50 closed this May 22, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 22, 2026

Codecov Report

❌ Patch coverage is 6.25000% with 105 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.96%. Comparing base (db1c4ee) to head (a50493a).

Files with missing lines Patch % Lines
ares-tools/src/cracker/remote.rs 4.90% 97 Missing ⚠️
...s-core/src/persistent_store/queries/credentials.rs 0.00% 3 Missing ⚠️
ares-cli/src/history/search.rs 0.00% 2 Missing ⚠️
ares-cli/src/history/cost.rs 0.00% 1 Missing ⚠️
ares-cli/src/history/list.rs 0.00% 1 Missing ⚠️
ares-tools/src/cracker.rs 66.66% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #342      +/-   ##
==========================================
- Coverage   80.03%   79.96%   -0.07%     
==========================================
  Files         433      434       +1     
  Lines      125577   125682     +105     
==========================================
+ Hits       100500   100507       +7     
- Misses      25077    25175      +98
Files with missing lines Coverage Δ
ares-cli/src/history/cost.rs 0.00% <0.00%> (ø)
ares-cli/src/history/list.rs 0.00% <0.00%> (ø)
ares-tools/src/cracker.rs 88.28% <66.66%> (-0.20%) ⬇️
ares-cli/src/history/search.rs 0.00% <0.00%> (ø)
...s-core/src/persistent_store/queries/credentials.rs 0.00% <0.00%> (ø)
ares-tools/src/cracker/remote.rs 4.90% <4.90%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/github Changes made to GitHub Actions workflows area/pre-commit Changes made to pre-commit hooks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50