fix: replace from_utf8_unchecked with from_utf8 in SQLite column name handling#4221
Merged
abonander merged 2 commits intolaunchbadge:mainfrom Apr 9, 2026
Merged
Conversation
…andle Replace all uses of `from_utf8_unchecked` with safe `from_utf8` in the SQLite statement handle to fix a soundness issue. SQLite allows non-UTF-8 column names via its C API, but `from_utf8_unchecked` assumes valid UTF-8 without checking. This can produce invalid `&str` values through a safe public API, which is undefined behavior in Rust. Using `from_utf8().expect()` instead converts potential UB into a defined panic with a clear message. There is no behavioral change for valid UTF-8 inputs, which covers all practical usage. Fixes launchbadge#4192
abonander
approved these changes
Apr 9, 2026
|
|
||
| from_utf8_unchecked(CStr::from_ptr(raw).to_bytes()) | ||
| from_utf8(CStr::from_ptr(raw).to_bytes()) | ||
| .expect("sqlite3_sql() returned non-UTF-8 string") |
Collaborator
There was a problem hiding this comment.
Turning these into panics is a step up from undefined behavior but long-term we might want to make this a recoverable error.
This is fine to merge as-is, I just wanted to get that on record.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4192
The SQLite driver uses
from_utf8_unchecked()to convert C strings returned by SQLite's C API (column names, table names, etc.) into Rust&strvalues. This is a soundness violation: SQLite does not guarantee that these strings are valid UTF-8, andfrom_utf8_uncheckedon non-UTF-8 input produces an invalid&str, which is undefined behavior in Rust.What's wrong
SQLite's C API functions like
sqlite3_column_name(),sqlite3_column_table_name(),sqlite3_column_origin_name(),sqlite3_column_database_name(),sqlite3_column_decltype(),sqlite3_bind_parameter_name(), andsqlite3_sql()can all return non-UTF-8 strings. The previous code usedfrom_utf8_uncheckedon these return values, which:&strvalues must be valid UTF-8unsaferequired by the caller)The fix
All 8 call sites in
sqlx-sqlite/src/statement/handle.rsare replaced:from_utf8_unchecked(...)becomesfrom_utf8(...).expect("descriptive message")from_utf8_uncheckedimport is removedThis converts potential undefined behavior into a defined panic with a clear error message identifying which SQLite C API function returned non-UTF-8 data.
Behavioral impact
from_utf8returnsOkand.expect()unwraps it, producing the same&stras before.&str(UB), the program panics with a clear message. This is the correct behavior since the rest of the codebase assumes valid UTF-8 strings.