diff options
| author | Simon Charette <charette.s@gmail.com> | 2024-07-25 18:19:13 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:55 +0200 |
| commit | 32ebcbf2e1fe3e5ba79a6554a167efce81f7422d (patch) | |
| tree | ece61f70ea6a6c10ff44655f0dcb924a806bb628 /tests | |
| parent | 523da8771bce321023f490f70d71a9e973ddc927 (diff) | |
[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/expressions/models.py | 7 | ||||
| -rw-r--r-- | tests/expressions/test_queryset_values.py | 17 |
2 files changed, 22 insertions, 2 deletions
diff --git a/tests/expressions/models.py b/tests/expressions/models.py index 0cab275631..b9cc86cd4e 100644 --- a/tests/expressions/models.py +++ b/tests/expressions/models.py @@ -107,3 +107,10 @@ class UUIDPK(models.Model): class UUID(models.Model): uuid = models.UUIDField(null=True) uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True) + + +class JSONFieldModel(models.Model): + data = models.JSONField(null=True) + + class Meta: + required_db_features = {"supports_json_field"} diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 80addef37b..47bd1358de 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -1,7 +1,7 @@ from django.db.models import F, Sum -from django.test import TestCase +from django.test import TestCase, skipUnlessDBFeature -from .models import Company, Employee +from .models import Company, Employee, JSONFieldModel class ValuesExpressionsTests(TestCase): @@ -43,6 +43,19 @@ class ValuesExpressionsTests(TestCase): with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) + @skipUnlessDBFeature("supports_json_field") + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") + + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values_list(f"data__{crafted_alias}") + def test_values_expression_group_by(self): # values() applies annotate() first, so values selected are grouped by # id, not firstname. |