GHSA-jc55-246c-r88f: SurrealDB has an Uncaught Exception Handling Nonexistent Role

November 22, 2024

Roles for system users are stored as generic Ident values and converted as strings and into the Role enum whenever IAM operations are to be performed that require processing the user roles. This conversion expects those identifiers to only contain the values owner, editor and viewer and will return an error otherwise. However, the unwrap() method would be called on this result when implementing std::convert::From<&Ident> for Role, which would result in a panic where a nonexistent role was used.

References

github.com/advisories/GHSA-jc55-246c-r88f
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/pull/5079
github.com/surrealdb/surrealdb/pull/5092
github.com/surrealdb/surrealdb/security/advisories/GHSA-jc55-246c-r88f

Detect and mitigate GHSA-jc55-246c-r88f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →