79 lines
2.9 KiB
Diff
79 lines
2.9 KiB
Diff
From b6de28f897709ee5d94ca2da21bcc98f9dade01c Mon Sep 17 00:00:00 2001
|
|
From: Simon Charette <charette.s@gmail.com>
|
|
Date: Thu, 25 Jul 2024 18:19:13 +0200
|
|
Subject: [PATCH 4/4] [4.2.x] Fixed CVE-2024-42005 -- Mitigated
|
|
QuerySet.values() SQL injection attacks against JSON fields.
|
|
|
|
Thanks Eyal (eyalgabay) for the report.
|
|
---
|
|
django/db/models/sql/query.py | 2 ++
|
|
tests/expressions/models.py | 7 +++++++
|
|
tests/expressions/test_queryset_values.py | 17 +++++++++++++++--
|
|
4 files changed, 31 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
|
|
index f98c6c668b..e68fd9efb7 100644
|
|
--- a/django/db/models/sql/query.py
|
|
+++ b/django/db/models/sql/query.py
|
|
@@ -2415,6 +2415,8 @@ class Query(BaseExpression):
|
|
self.has_select_fields = True
|
|
|
|
if fields:
|
|
+ for field in fields:
|
|
+ self.check_alias(field)
|
|
field_names = []
|
|
extra_names = []
|
|
annotation_names = []
|
|
diff --git a/tests/expressions/models.py b/tests/expressions/models.py
|
|
index 0a8a0a6584..6b21e9ccf3 100644
|
|
--- a/tests/expressions/models.py
|
|
+++ b/tests/expressions/models.py
|
|
@@ -106,3 +106,10 @@ class UUIDPK(models.Model):
|
|
class UUID(models.Model):
|
|
uuid = models.UUIDField(null=True)
|
|
uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True)
|
|
+
|
|
+
|
|
+class JSONFieldModel(models.Model):
|
|
+ data = models.JSONField(null=True)
|
|
+
|
|
+ class Meta:
|
|
+ required_db_features = {"supports_json_field"}
|
|
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
|
|
index 80addef37b..47bd1358de 100644
|
|
--- a/tests/expressions/test_queryset_values.py
|
|
+++ b/tests/expressions/test_queryset_values.py
|
|
@@ -1,7 +1,7 @@
|
|
from django.db.models import F, Sum
|
|
-from django.test import TestCase
|
|
+from django.test import TestCase, skipUnlessDBFeature
|
|
|
|
-from .models import Company, Employee
|
|
+from .models import Company, Employee, JSONFieldModel
|
|
|
|
|
|
class ValuesExpressionsTests(TestCase):
|
|
@@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase):
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Company.objects.values(**{crafted_alias: F("ceo__salary")})
|
|
|
|
+ @skipUnlessDBFeature("supports_json_field")
|
|
+ def test_values_expression_alias_sql_injection_json_field(self):
|
|
+ crafted_alias = """injected_name" from "expressions_company"; --"""
|
|
+ msg = (
|
|
+ "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
+ "semicolons, or SQL comments."
|
|
+ )
|
|
+ with self.assertRaisesMessage(ValueError, msg):
|
|
+ JSONFieldModel.objects.values(f"data__{crafted_alias}")
|
|
+
|
|
+ with self.assertRaisesMessage(ValueError, msg):
|
|
+ JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
|
|
+
|
|
def test_values_expression_group_by(self):
|
|
# values() applies annotate() first, so values selected are grouped by
|
|
# id, not firstname.
|
|
--
|
|
2.34.1
|
|
|