[3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection.

Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-06-22 12:44:04 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-07-04 08:41:33 +0200
commit: a9010fe5555e6086a9d9ae50069579400ef0685e (patch)
tree: 9205cc581de9c817f3e1bbc9a19c2223816c69f7 /tests/db_functions/datetime/test_extract_trunc.py
parent: 3acf156be371b968b398062c28fe7a9449745a70 (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/tests/db_functions/datetime/test_extract_trunc.py b/tests/db_functions/datetime/test_extract_trunc.py
index 258600127f..27ed3ae63e 100644
--- a/tests/db_functions/datetime/test_extract_trunc.py
+++ b/tests/db_functions/datetime/test_extract_trunc.py
@@ -177,6 +177,23 @@ class DateFunctionTests(TestCase):
                 self.assertEqual(qs.count(), 1)
                 self.assertGreaterEqual(str(qs.query).lower().count('extract'), 2)
 
+    def test_extract_lookup_name_sql_injection(self):
+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+        if settings.USE_TZ:
+            start_datetime = timezone.make_aware(start_datetime)
+            end_datetime = timezone.make_aware(end_datetime)
+        self.create_model(start_datetime, end_datetime)
+        self.create_model(end_datetime, start_datetime)
+
+        msg = "Invalid lookup_name: "
+        with self.assertRaisesMessage(ValueError, msg):
+            DTModel.objects.filter(
+                start_datetime__year=Extract(
+                    "start_datetime", "day' FROM start_datetime)) OR 1=1;--"
+                )
+            ).exists()
+
     def test_extract_func(self):
         start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
         end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
@@ -620,6 +637,23 @@ class DateFunctionTests(TestCase):
         )
         self.assertEqual(DTModel.objects.filter(start_datetime__second=ExtractSecond('start_datetime')).count(), 2)
 
+    def test_trunc_lookup_name_sql_injection(self):
+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+        if settings.USE_TZ:
+            start_datetime = timezone.make_aware(start_datetime)
+            end_datetime = timezone.make_aware(end_datetime)
+        self.create_model(start_datetime, end_datetime)
+        self.create_model(end_datetime, start_datetime)
+        msg = "Invalid kind: "
+        with self.assertRaisesMessage(ValueError, msg):
+            DTModel.objects.filter(
+                start_datetime__date=Trunc(
+                    "start_datetime",
+                    "year', start_datetime)) OR 1=1;--",
+                )
+            ).exists()
+
     def test_trunc_func(self):
         start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
         end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-06-22 12:44:04 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-07-04 08:41:33 +0200
commit	a9010fe5555e6086a9d9ae50069579400ef0685e (patch)
tree	9205cc581de9c817f3e1bbc9a19c2223816c69f7 /tests/db_functions/datetime/test_extract_trunc.py
parent	3acf156be371b968b398062c28fe7a9449745a70 (diff)