Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.

Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews.
2025-10-24 06:06:09 +00:00 · 2019-07-22 10:45:26 +02:00
parent 4b78420d25
commit 7deeabc7c7
7 changed files with 59 additions and 8 deletions
--- a/tests/postgres_tests/test_hstore.py
+++ b/tests/postgres_tests/test_hstore.py
@@ -1,8 +1,9 @@
 import json

 from django.core import checks, exceptions, serializers
+from django.db import connection
 from django.forms import Form
-from django.test.utils import isolate_apps
+from django.test.utils import CaptureQueriesContext, isolate_apps

 from . import PostgreSQLSimpleTestCase, PostgreSQLTestCase
 from .models import HStoreModel, PostgreSQLModel
@@ -185,6 +186,18 @@ class TestQuerying(PostgreSQLTestCase):
            self.objs[:2]
        )

+    def test_key_sql_injection(self):
+        with CaptureQueriesContext(connection) as queries:
+            self.assertFalse(
+                HStoreModel.objects.filter(**{
+                    "field__test' = 'a') OR 1 = 1 OR ('d": 'x',
+                }).exists()
+            )
+        self.assertIn(
+            """."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """,
+            queries[0]['sql'],
+        )
+

@isolate_apps('postgres_tests')
 class TestChecks(PostgreSQLSimpleTestCase):
--- a/tests/postgres_tests/test_json.py
+++ b/tests/postgres_tests/test_json.py
@@ -5,9 +5,10 @@ from decimal import Decimal

 from django.core import checks, exceptions, serializers
 from django.core.serializers.json import DjangoJSONEncoder
+from django.db import connection
 from django.db.models import Count, Q
 from django.forms import CharField, Form, widgets
-from django.test.utils import isolate_apps
+from django.test.utils import CaptureQueriesContext, isolate_apps
 from django.utils.html import escape

 from . import PostgreSQLSimpleTestCase, PostgreSQLTestCase
@@ -331,6 +332,18 @@ class TestQuerying(PostgreSQLTestCase):
    def test_iregex(self):
        self.assertTrue(JSONModel.objects.filter(field__foo__iregex=r'^bAr$').exists())

+    def test_key_sql_injection(self):
+        with CaptureQueriesContext(connection) as queries:
+            self.assertFalse(
+                JSONModel.objects.filter(**{
+                    """field__test' = '"a"') OR 1 = 1 OR ('d""": 'x',
+                }).exists()
+            )
+        self.assertIn(
+            """."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """,
+            queries[0]['sql'],
+        )
+

@isolate_apps('postgres_tests')
 class TestChecks(PostgreSQLSimpleTestCase):