diff options
| author | Simon Charette <charette.s@gmail.com> | 2024-07-25 12:19:13 -0400 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:50:08 +0200 |
| commit | c87bfaacf8fb84984243b5055dc70f97996cb115 (patch) | |
| tree | ab5d519d769fa346059db9d49dcaa2b2f2b4c22c /tests/expressions | |
| parent | 5f1757142febd95994caa1c0f64c1a0c161982c3 (diff) | |
Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
Diffstat (limited to 'tests/expressions')
| -rw-r--r-- | tests/expressions/models.py | 7 | ||||
| -rw-r--r-- | tests/expressions/test_queryset_values.py | 17 |
2 files changed, 22 insertions, 2 deletions
diff --git a/tests/expressions/models.py b/tests/expressions/models.py index 31891a13d7..3909bdf0cd 100644 --- a/tests/expressions/models.py +++ b/tests/expressions/models.py @@ -115,3 +115,10 @@ class UUID(models.Model): class Text(models.Model): name = models.TextField() + + +class JSONFieldModel(models.Model): + data = models.JSONField(null=True) + + class Meta: + required_db_features = {"supports_json_field"} diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 80addef37b..47bd1358de 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -1,7 +1,7 @@ from django.db.models import F, Sum -from django.test import TestCase +from django.test import TestCase, skipUnlessDBFeature -from .models import Company, Employee +from .models import Company, Employee, JSONFieldModel class ValuesExpressionsTests(TestCase): @@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase): with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) + @skipUnlessDBFeature("supports_json_field") + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") + + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values_list(f"data__{crafted_alias}") + def test_values_expression_group_by(self): # values() applies annotate() first, so values selected are grouped by # id, not firstname. |