sqlx icon indicating copy to clipboard operation
sqlx copied to clipboard
verified publisher icon launchbadge

`cargo install cargo-sqlx` should work

Open Arjentix opened this issue 7 months ago • 2 comments

I have found these related issues/pull requests

Haven't found any

Description

In Rust ecosystem it's more common to name cli packages for cargo as cargo-my-package, so for sqlx I'd suggest cargo-sqlx. I understand that sqlx-cli may be positioned as not just cargo extension.

The reason I'm suggesting this is that I got an error in my code advising me to run cargo sqlx prepare. I haven't had sqlx-cli installed and the first thing I tried was cargo install cargo-sqlx, glad it didn't worked and forced me to look how to properly install sqlx-cli.

This naming inconvenience creates a vulnerability for fishing attacks if someone will publish a crate with this name. And considering the fact that database data often is quite sensible it would be very bad.

I suggest either rename sqlx-cli to cargo-sqlx or show error message with just sqlx prepare or together with installation step.

Reproduction steps

Set SQLX_OFFLINE=true and DATABASE_URL in your environment.

In Rust code use for example query_as_unchecked!.

SQLx version

0.8.5

Enabled SQLx features

macros

Database server and version

Postgress

Operating system

MacOs

Rust version

rustc 1.84.0 (9fc6b4312 2025-01-07)

Arjentix avatar May 22 '25 14:05 Arjentix

Fortunately, there is no vulnerability because we reserved cargo-sqlx way back when we first launched. Thus, we can guarantee that cargo install cargo-sqlx will, at worst, do nothing. Typo-squatting is still a possible attack, but there's not much we can do about that without squatting a lot more names, and the crates.io team would pretty quickly take anything like that down at our request if it's clearly malicious.

I understand that sqlx-cli may be positioned as not just cargo extension.

In fact, 90% of the functionality has nothing to do with the Cargo integration. The primary function of the sqlx command is to manage databases and migrations. The only reason it's all in one package was to share code. That, and it's a lot more convenient to cargo install sqlx-cli and get both tools.

I have seen people get confused by this before, but I don't think I like the idea of splitting or aliasing the packages. I think that would just cause more confusion in the end.

I could maybe see making it so that cargo install cargo-sqlx only installs the cargo-sqlx binary, and cargo install sqlx-cli installs both.

abonander avatar May 22 '25 22:05 abonander

Fortunately, there is no vulnerability because we reserved cargo-sqlx way back when we first launched

Oh, haven't checked this, it's cool, thank you for pointing out. Then do whatever you want with this issue.

Arjentix avatar May 26 '25 16:05 Arjentix