1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
commit c87bfaacf8fb84984243b5055dc70f97996cb115
Author: Simon Charette <charette.s@gmail.com>
Date: Thu Jul 25 12:19:13 2024 -0400
Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
Index: python-django-debian.git/django/db/models/sql/query.py
===================================================================
--- python-django-debian.git.orig/django/db/models/sql/query.py
+++ python-django-debian.git/django/db/models/sql/query.py
@@ -2239,6 +2239,8 @@ class Query(BaseExpression):
self.clear_select_fields()
if fields:
+ for field in fields:
+ self.check_alias(field)
field_names = []
extra_names = []
annotation_names = []
Index: python-django-debian.git/tests/expressions/models.py
===================================================================
--- python-django-debian.git.orig/tests/expressions/models.py
+++ python-django-debian.git/tests/expressions/models.py
@@ -101,3 +101,10 @@ class UUIDPK(models.Model):
class UUID(models.Model):
uuid = models.UUIDField(null=True)
uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True)
+
+
+class JSONFieldModel(models.Model):
+ data = models.JSONField(null=True)
+
+ class Meta:
+ required_db_features = {"supports_json_field"}
Index: python-django-debian.git/tests/expressions/test_queryset_values.py
===================================================================
--- python-django-debian.git.orig/tests/expressions/test_queryset_values.py
+++ python-django-debian.git/tests/expressions/test_queryset_values.py
@@ -1,7 +1,7 @@
from django.db.models import F, Sum
-from django.test import TestCase
+from django.test import TestCase, skipUnlessDBFeature
-from .models import Company, Employee
+from .models import Company, Employee, JSONFieldModel
class ValuesExpressionsTests(TestCase):
@@ -35,6 +35,19 @@ class ValuesExpressionsTests(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ @skipUnlessDBFeature("supports_json_field")
+ def test_values_expression_alias_sql_injection_json_field(self):
+ crafted_alias = """injected_name" from "expressions_company"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values(f"data__{crafted_alias}")
+
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+
def test_values_expression_group_by(self):
# values() applies annotate() first, so values selected are grouped by
# id, not firstname.
|
