From c87bfaacf8fb84984243b5055dc70f97996cb115 Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Thu, 25 Jul 2024 12:19:13 -0400 Subject: [PATCH] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. Thanks Eyal (eyalgabay) for the report. --- django/db/models/sql/query.py | 2 ++ docs/releases/4.2.15.txt | 7 +++++++ docs/releases/5.0.8.txt | 7 +++++++ tests/expressions/models.py | 7 +++++++ tests/expressions/test_queryset_values.py | 17 +++++++++++++++-- 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 09916277bc..c1e2fc1d4f 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -2461,6 +2461,8 @@ class Query(BaseExpression): selected = {} if fields: + for field in fields: + self.check_alias(field) field_names = [] extra_names = [] annotation_names = [] diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index 1c6a1c7ede..b1d4684596 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. +CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()`` +====================================================================================== + +:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models +with a ``JSONField`` were subject to SQL injection in column aliases, via a +crafted JSON object key as a passed ``*arg``. + Bugfixes ======== diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt index 2a0823d0ca..37f51f71c7 100644 --- a/docs/releases/5.0.8.txt +++ b/docs/releases/5.0.8.txt @@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. +CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()`` +====================================================================================== + +:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models +with a ``JSONField`` were subject to SQL injection in column aliases, via a +crafted JSON object key as a passed ``*arg``. + Bugfixes ======== diff --git a/tests/expressions/models.py b/tests/expressions/models.py index 31891a13d7..3909bdf0cd 100644 --- a/tests/expressions/models.py +++ b/tests/expressions/models.py @@ -115,3 +115,10 @@ class UUID(models.Model): class Text(models.Model): name = models.TextField() + + +class JSONFieldModel(models.Model): + data = models.JSONField(null=True) + + class Meta: + required_db_features = {"supports_json_field"} diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 80addef37b..47bd1358de 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -1,7 +1,7 @@ from django.db.models import F, Sum -from django.test import TestCase +from django.test import TestCase, skipUnlessDBFeature -from .models import Company, Employee +from .models import Company, Employee, JSONFieldModel class ValuesExpressionsTests(TestCase): @@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase): with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) + @skipUnlessDBFeature("supports_json_field") + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") + + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values_list(f"data__{crafted_alias}") + def test_values_expression_group_by(self): # values() applies annotate() first, so values selected are grouped by # id, not firstname.