diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-07-22 10:45:26 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-07-31 21:29:17 +0200 |
| commit | ed682a24fca774818542757651bfba576c3fc3ef (patch) | |
| tree | d0e56c1ce9356efc4cd7c910a1fde55f9b133971 /tests | |
| parent | 52479acce792ad80bb0f915f20b835f919993c72 (diff) | |
[1.11.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/postgres_tests/test_hstore.py | 15 | ||||
| -rw-r--r-- | tests/postgres_tests/test_json.py | 14 |
2 files changed, 28 insertions, 1 deletions
diff --git a/tests/postgres_tests/test_hstore.py b/tests/postgres_tests/test_hstore.py index 0fc427f67c..dd8e642ed0 100644 --- a/tests/postgres_tests/test_hstore.py +++ b/tests/postgres_tests/test_hstore.py @@ -4,8 +4,9 @@ from __future__ import unicode_literals import json from django.core import exceptions, serializers +from django.db import connection from django.forms import Form -from django.test.utils import modify_settings +from django.test.utils import CaptureQueriesContext, modify_settings from . import PostgreSQLTestCase from .models import HStoreModel @@ -167,6 +168,18 @@ class TestQuerying(HStoreTestCase): self.objs[:2] ) + def test_key_sql_injection(self): + with CaptureQueriesContext(connection) as queries: + self.assertFalse( + HStoreModel.objects.filter(**{ + "field__test' = 'a') OR 1 = 1 OR ('d": 'x', + }).exists() + ) + self.assertIn( + """."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """, + queries[0]['sql'], + ) + class TestSerialization(HStoreTestCase): test_data = ('[{"fields": {"field": "{\\"a\\": \\"b\\"}"}, ' diff --git a/tests/postgres_tests/test_json.py b/tests/postgres_tests/test_json.py index 4e8851d485..925e800131 100644 --- a/tests/postgres_tests/test_json.py +++ b/tests/postgres_tests/test_json.py @@ -6,8 +6,10 @@ from decimal import Decimal from django.core import exceptions, serializers from django.core.serializers.json import DjangoJSONEncoder +from django.db import connection from django.forms import CharField, Form, widgets from django.test import skipUnlessDBFeature +from django.test.utils import CaptureQueriesContext from django.utils.html import escape from . import PostgreSQLTestCase @@ -263,6 +265,18 @@ class TestQuerying(PostgreSQLTestCase): def test_iregex(self): self.assertTrue(JSONModel.objects.filter(field__foo__iregex=r'^bAr$').exists()) + def test_key_sql_injection(self): + with CaptureQueriesContext(connection) as queries: + self.assertFalse( + JSONModel.objects.filter(**{ + """field__test' = '"a"') OR 1 = 1 OR ('d""": 'x', + }).exists() + ) + self.assertIn( + """."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """, + queries[0]['sql'], + ) + @skipUnlessDBFeature('has_jsonb_datatype') class TestSerialization(PostgreSQLTestCase): |
