mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 07:06:08 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Browse Source 
Thanks Eyal (eyalgabay) for the report.
This commit is contained in:
Simon Charette
2024-07-25 18:19:13 +02:00
committed by Sarah Boyce
parent 523da8771b
commit 32ebcbf2e1
5 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
django/db/models/sql/query.py
View File

@@ -2446,6 +2446,8 @@ class Query(BaseExpression):
self.has_select_fields = True
if fields:
for field in fields:
self.check_alias(field)
field_names = []
extra_names = []
annotation_names = []

7
docs/releases/4.2.15.txt
View File

@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================
:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.
Bugfixes
========

7
docs/releases/5.0.8.txt
View File

@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================
:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.
Bugfixes
========

7
tests/expressions/models.py
View File

@@ -107,3 +107,10 @@ class UUIDPK(models.Model):
class UUID(models.Model):
uuid = models.UUIDField(null=True)
uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True)
class JSONFieldModel(models.Model):
data = models.JSONField(null=True)
class Meta:
required_db_features = {"supports_json_field"}

17
tests/expressions/test_queryset_values.py
View File

@@ -1,7 +1,7 @@
from django.db.models import F, Sum
from django.test import TestCase
from django.test import TestCase, skipUnlessDBFeature
from .models import Company, Employee
from .models import Company, Employee, JSONFieldModel
class ValuesExpressionsTests(TestCase):
@@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
@skipUnlessDBFeature("supports_json_field")
def test_values_expression_alias_sql_injection_json_field(self):
crafted_alias = """injected_name" from "expressions_company"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
JSONFieldModel.objects.values(f"data__{crafted_alias}")
with self.assertRaisesMessage(ValueError, msg):
JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
def test_values_expression_group_by(self):
# values() applies annotate() first, so values selected are grouped by
# id, not firstname.