From 2e39c3a8b08c60311ff25fac5b5906e079226169 Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Fri, 29 May 2026 06:41:19 -0400 Subject: [PATCH] =?UTF-8?q?docs(security):=20ADR=200002=20=E2=80=94=20acce?= =?UTF-8?q?pt=20pgx/v4=20+=20pgproto3/v2=20risk=20(no=20upstream=20fix)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Documents dismissal of Dependabot alerts #23-#25 (pgproto3/v2 DoS, HIGH) and #54-#56 (pgx/v4 SQLi, low). Both packages are at their final vulnerable releases with no patch (fix only in pgx/v5); they are transitive via go-db-credential-refresh/driver v1.2.1 (RDS IAM cred rotation), which has not migrated to pgx/v5. Risk assessed tolerable (DoS needs malicious PG server; SQLi query pattern unused). Alerts dismissed as tolerable_risk with follow-up. Co-Authored-By: Claude Opus 4.8 --- .../0002-pgx-v4-pgproto3-risk-acceptance.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 decisions/0002-pgx-v4-pgproto3-risk-acceptance.md diff --git a/decisions/0002-pgx-v4-pgproto3-risk-acceptance.md b/decisions/0002-pgx-v4-pgproto3-risk-acceptance.md new file mode 100644 index 00000000..a824192c --- /dev/null +++ b/decisions/0002-pgx-v4-pgproto3-risk-acceptance.md @@ -0,0 +1,61 @@ +# 2. Accept risk: pgx/v4 + pgproto3/v2 vulnerabilities (no upstream fix) + +Date: 2026-05-29 +Status: Accepted +Context: GitHub Dependabot alerts #23–#25 (high) and #54–#56 (low) + +## Context + +Dependabot reports two advisories against the `database` module and the +`verbose-debug` / `instance-aware-db` examples: + +- **GHSA-jqcq-xjh3-6g23** (HIGH) — Denial of service in + `github.com/jackc/pgproto3/v2` (vulnerable `<= 2.3.3`). +- **GHSA-j88v-2chj-qfwx** (low) — SQL injection via placeholder confusion with + dollar-quoted string literals in `github.com/jackc/pgx/v4` (vulnerable + `<= 4.18.3`). + +Both packages are at their final releases in those major lines +(`pgproto3/v2 v2.3.3`, `pgx/v4 v4.18.3`) and **have no patched version** — the +fix lives only in the `pgx/v5` line. Dependabot reports +`first_patched_version: null` for both. + +These packages are not imported by this repo's own code. They are pulled in +transitively: + +``` +modules/database → github.com/davepgreene/go-db-credential-refresh/driver + → github.com/jackc/pgx/v4/stdlib → pgx/v4, pgproto3/v2 +``` + +`go-db-credential-refresh` (latest `v1.2.1`) is used for AWS RDS IAM +credential rotation (`iam_store_wrapper.go`, `credential_refresh_store.go` via +`driver.NewConnector`). Its `driver` package imports `pgx/v4/stdlib` +unconditionally and the library has not migrated to `pgx/v5`. The examples +inherit the dependency through the local `replace` of the database module. + +## Decision + +**Accept the risk and dismiss the six Dependabot alerts as `tolerable_risk`.** +There is no version bump or `replace` that resolves these (no patched `v4`/`v2` +release exists), and dropping the dependency would mean removing or rewriting +the RDS IAM credential-rotation feature against `pgx/v5` — a substantial, +AWS-integration-testable change disproportionate to the assessed exposure. + +## Risk assessment + +- **pgproto3/v2 DoS (HIGH):** the crash is triggered by a malicious/compromised + Postgres server sending crafted protocol messages. This deployment connects + only to trusted AWS RDS endpoints over IAM auth. Not exposed to untrusted + servers → low real-world risk. +- **pgx/v4 SQLi (low):** requires constructing queries with dollar-quoted + placeholder confusion. The dependency is used here for connection and + credential management (IAM token as password) via `database/sql`, not for + query construction with that pattern → not reachable. + +## Follow-up + +Revisit when `github.com/davepgreene/go-db-credential-refresh` ships a +`pgx/v5`-based driver (or a maintained fork does). At that point bump the +library, drop `pgx/v4`/`pgproto3/v2`, and re-open/auto-resolve the alerts. +Track upstream: https://github.com/davepgreene/go-db-credential-refresh