Skip to content

fix(vulncheck): ignore GO-2026-5004 (pgx/v4, not reachable)#2602

Merged
cstockton merged 1 commit into
masterfrom
cemal/fix-ignore-transitive-cve
Jun 29, 2026
Merged

fix(vulncheck): ignore GO-2026-5004 (pgx/v4, not reachable)#2602
cstockton merged 1 commit into
masterfrom
cemal/fix-ignore-transitive-cve

Conversation

@cemalkilic

@cemalkilic cemalkilic commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What

Adds GO-2026-5004 to the vulncheck-filter ignore map so make vulncheck passes again.

Why it's safe to ignore

GO-2026-5004 is a SQL injection in pgx's sanitize.SanitizeSQL, reaching us transitively: pop/v6 → pgx/v4/stdlib → pgx/v4.

It only triggers when all of these hold:

  1. the simple query protocol is used (not pgx's default, the extended protocol sends placeholder values as
    separate bind parameters, so nothing is string-interpolated client-side),
  2. the query contains dollar-quoted string literals,
  3. a value inside that literal looks like a placeholder, and
  4. an attacker controls that value.

We're not impacted:

  • We never use the simple protocol. No PreferSimpleProtocol / SimpleProtocol / QueryExecMode anywhere in the tree: all DB access goes through database/sql → pgx/v4 stdlib → pop/v6 on the default extended protocol, so SanitizeSQL is never exercised.

  • The advisory itself calls it "unlikely to occur outside of a contrived scenario."

    Why not fix instead

    There is no upstream fix for pgx/v4 (only v5 ≥ 5.9.2 is patched), and pgx/v4 is transitive via pop/v6, so it
    can't be bumped on its own. Same situation as the existing GO-2026-4518 entry. If we ever opt into the simple
    protocol, this should be revisited.

@cemalkilic cemalkilic requested a review from a team as a code owner June 29, 2026 12:08
@cstockton cstockton merged commit f1cc16f into master Jun 29, 2026
12 checks passed
@cstockton cstockton deleted the cemal/fix-ignore-transitive-cve branch June 29, 2026 13:16
@supabase-releaser supabase-releaser Bot mentioned this pull request Jun 29, 2026
Merged
cstockton pushed a commit that referenced this pull request Jun 29, 2026
@supabase-releaser
chore(master): release 2.192.0 (#2587)
5acfdea 
🤖 I have created a release *beep* *boop*
---


##
[2.192.0](v2.191.0...v2.192.0)
(2026-06-29)


### Features

* **custom-oauth:** add per-provider custom_claims_allowlist
([#2576](#2576))
([acecb06](acecb06))


### Bug Fixes

* **tests:** rely on error codes for hooks tests to work across PG
backends
([ee91c5f](ee91c5f))
* **vulncheck:** ignore GO-2026-5004 (pgx/v4, not reachable)
([#2602](#2602))
([f1cc16f](f1cc16f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cstockton cstockton cstockton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cemalkilic @cstockton