summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2024-07-25 12:19:13 -0400
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-06 08:50:08 +0200
commitc87bfaacf8fb84984243b5055dc70f97996cb115 (patch)
treeab5d519d769fa346059db9d49dcaa2b2f2b4c22c
parent5f1757142febd95994caa1c0f64c1a0c161982c3 (diff)
Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
-rw-r--r--django/db/models/sql/query.py2
-rw-r--r--docs/releases/4.2.15.txt7
-rw-r--r--docs/releases/5.0.8.txt7
-rw-r--r--tests/expressions/models.py7
-rw-r--r--tests/expressions/test_queryset_values.py17
5 files changed, 38 insertions, 2 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 09916277bc..c1e2fc1d4f 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2461,6 +2461,8 @@ class Query(BaseExpression):
selected = {}
if fields:
+ for field in fields:
+ self.check_alias(field)
field_names = []
extra_names = []
annotation_names = []
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index 1c6a1c7ede..b1d4684596 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
Bugfixes
========
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 2a0823d0ca..37f51f71c7 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
Bugfixes
========
diff --git a/tests/expressions/models.py b/tests/expressions/models.py
index 31891a13d7..3909bdf0cd 100644
--- a/tests/expressions/models.py
+++ b/tests/expressions/models.py
@@ -115,3 +115,10 @@ class UUID(models.Model):
class Text(models.Model):
name = models.TextField()
+
+
+class JSONFieldModel(models.Model):
+ data = models.JSONField(null=True)
+
+ class Meta:
+ required_db_features = {"supports_json_field"}
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
index 80addef37b..47bd1358de 100644
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@@ -1,7 +1,7 @@
from django.db.models import F, Sum
-from django.test import TestCase
+from django.test import TestCase, skipUnlessDBFeature
-from .models import Company, Employee
+from .models import Company, Employee, JSONFieldModel
class ValuesExpressionsTests(TestCase):
@@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ @skipUnlessDBFeature("supports_json_field")
+ def test_values_expression_alias_sql_injection_json_field(self):
+ crafted_alias = """injected_name" from "expressions_company"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values(f"data__{crafted_alias}")
+
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+
def test_values_expression_group_by(self):
# values() applies annotate() first, so values selected are grouped by
# id, not firstname.