The rand::time()
function in SurrealQL generates a random time from an optional range of two Unix timestamps. Due to the underlying use of timestamp_opt
from the chrono
crate, this function could potentially return None
in some instances, leading to a panic when unwrap
was called on its result in order to return a SurrealQL datetime
type to the caller of the function.
A client that is authorized to run queries in a SurrealDB server would be able to make repeated (in the order of millions) calls to rand::time()
in order to reliably trigger a panic. This would crash the server, leading to denial of service.
The function has been updated in to guarantee that some datetime
is returned or that an error is otherwise gracefully handled.
Affected users who are unable to update may want to limit the ability of untrusted clients to run the rand::time()
function in the affected versions of SurrealDB using security capabilities. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.