Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
2024-12-22 17:16:24 +00:00 · 2024-07-25 12:19:13 -04:00 · 2024-07-25 12:19:13 -04:00 · c87bfaacf8
commit c87bfaacf8
parent 5f1757142f
5 changed files with 38 additions and 2 deletions
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@ -2461,6 +2461,8 @@ class Query(BaseExpression):

        selected = {}
        if fields:
+            for field in fields:
+                self.check_alias(field)
            field_names = []
            extra_names = []
            annotation_names = []
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
 subject to a potential denial-of-service attack via certain inputs with a very
 large number of Unicode characters.

+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
 Bugfixes
 ========

--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
 subject to a potential denial-of-service attack via certain inputs with a very
 large number of Unicode characters.

+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
 Bugfixes
 ========

--- a/tests/expressions/models.py
+++ b/tests/expressions/models.py
@ -115,3 +115,10 @@ class UUID(models.Model):

 class Text(models.Model):
    name = models.TextField()
+
+
+class JSONFieldModel(models.Model):
+    data = models.JSONField(null=True)
+
+    class Meta:
+        required_db_features = {"supports_json_field"}
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@ -1,7 +1,7 @@
 from django.db.models import F, Sum
-from django.test import TestCase
+from django.test import TestCase, skipUnlessDBFeature

-from .models import Company, Employee
+from .models import Company, Employee, JSONFieldModel


 class ValuesExpressionsTests(TestCase):
@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase):
        with self.assertRaisesMessage(ValueError, msg):
            Company.objects.values(**{crafted_alias: F("ceo__salary")})

+    @skipUnlessDBFeature("supports_json_field")
+    def test_values_expression_alias_sql_injection_json_field(self):
+        crafted_alias = """injected_name" from "expressions_company"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+
+        with self.assertRaisesMessage(ValueError, msg):
+            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+
    def test_values_expression_group_by(self):
        # values() applies annotate() first, so values selected are grouped by
        # id, not firstname.