File CVE-2024-42005.patch of Package python-Django.34948

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-42005.patch of Package python-Django.34948

From b6de28f897709ee5d94ca2da21bcc98f9dade01c Mon Sep 17 00:00:00 2001
From: Simon Charette <charette.s@gmail.com>
Date: Thu, 25 Jul 2024 18:19:13 +0200
Subject: [PATCH 4/4] [4.2.x] Fixed CVE-2024-42005 -- Mitigated
 QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
---
 django/db/models/sql/query.py             |  2 ++
 tests/expressions/models.py               |  7 +++++++
 tests/expressions/test_queryset_values.py | 17 +++++++++++++++--
 4 files changed, 31 insertions(+), 2 deletions(-)

Index: Django-2.0.7/django/db/models/sql/query.py
===================================================================
--- Django-2.0.7.orig/django/db/models/sql/query.py
+++ Django-2.0.7/django/db/models/sql/query.py
@@ -1924,6 +1924,8 @@ class Query:
             self.clear_select_fields()
 
         if fields:
+            for field in fields:
+                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
Index: Django-2.0.7/tests/expressions/models.py
===================================================================
--- Django-2.0.7.orig/tests/expressions/models.py
+++ Django-2.0.7/tests/expressions/models.py
@@ -4,6 +4,7 @@ Tests for F() query expression syntax.
 import uuid
 
 from django.db import models
+from django.contrib.postgres.fields import JSONField
 
 
 class Employee(models.Model):
@@ -91,3 +92,10 @@ class UUID(models.Model):
 
     def __str__(self):
         return "%s" % self.uuid
+
+
+class JSONFieldModel(models.Model):
+    data = JSONField(null=True)
+
+    class Meta:
+        required_db_features = {"supports_json_field"}
Index: Django-2.0.7/tests/expressions/test_queryset_values.py
===================================================================
--- Django-2.0.7.orig/tests/expressions/test_queryset_values.py
+++ Django-2.0.7/tests/expressions/test_queryset_values.py
@@ -1,8 +1,8 @@
 from django.db.models.aggregates import Sum
 from django.db.models.expressions import F
-from django.test import TestCase
+from django.test import TestCase, skipUnlessDBFeature
 
-from .models import Company, Employee
+from .models import Company, Employee, JSONFieldModel
 
 
 class ValuesExpressionsTests(TestCase):
@@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase):
         with self.assertRaisesMessage(ValueError, msg):
             Company.objects.values(**{crafted_alias: F("ceo__salary")})
 
+    @skipUnlessDBFeature("supports_json_field")
+    def test_values_expression_alias_sql_injection_json_field(self):
+        crafted_alias = """injected_name" from "expressions_company"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+
+        with self.assertRaisesMessage(ValueError, msg):
+            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+
     def test_values_expression_group_by(self):
         # values() applies annotate() first, so values selected are grouped by
         # id, not firstname.

Places

File CVE-2024-42005.patch of Package python-Django.34948

Places