GHSA-3pp4-64mp-9cg9: 
Rust vulnerability analysis and mitigation

A memory safety vulnerability was discovered in the tremor-script package affecting versions >= 0.7.2 and < 0.11.6. The issue occurs when using patch or merge operations on state and assigning the result back to state. The vulnerability was disclosed on September 16, 2021, and a fix was released in version 0.11.6 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from an optimization that was applied to manipulate target values in-place instead of cloning them. The Value struct in tremor-script represents borrowed strings using beef::Cow<'lifetime, str> that reference the actual Vec the event is based upon. While this optimization was safe for event data or static data, the introduction of state in tremor-script created a scenario where Value data could persist longer than an event's lifetime. When event data is merged or patched into state without proper cloning, it can retain references to keys or values from previous events that become invalid (RustSec Advisory).

This vulnerability allows access to freed regions of memory and enables the extraction of their content over the wire. The issue specifically affects scenarios where state operations are performed using merge or patch commands with direct reassignment (GitHub Advisory).

A temporary workaround for affected versions involves avoiding the optimization by introducing a temporary variable: let tmp = merge state of event end; let state = tmp;. The permanent fix was implemented in tremor-script version 0.11.6 through commit 1a2efcd, which removes the optimization and always clones the target expression of a Merge or Patch operation (GitHub Advisory, Runtime PR).