Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
python-Django.34948
CVE-2024-42005.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-42005.patch of Package python-Django.34948
From b6de28f897709ee5d94ca2da21bcc98f9dade01c Mon Sep 17 00:00:00 2001 From: Simon Charette <charette.s@gmail.com> Date: Thu, 25 Jul 2024 18:19:13 +0200 Subject: [PATCH 4/4] [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. Thanks Eyal (eyalgabay) for the report. --- django/db/models/sql/query.py | 2 ++ tests/expressions/models.py | 7 +++++++ tests/expressions/test_queryset_values.py | 17 +++++++++++++++-- 4 files changed, 31 insertions(+), 2 deletions(-) Index: Django-2.0.7/django/db/models/sql/query.py =================================================================== --- Django-2.0.7.orig/django/db/models/sql/query.py +++ Django-2.0.7/django/db/models/sql/query.py @@ -1924,6 +1924,8 @@ class Query: self.clear_select_fields() if fields: + for field in fields: + self.check_alias(field) field_names = [] extra_names = [] annotation_names = [] Index: Django-2.0.7/tests/expressions/models.py =================================================================== --- Django-2.0.7.orig/tests/expressions/models.py +++ Django-2.0.7/tests/expressions/models.py @@ -4,6 +4,7 @@ Tests for F() query expression syntax. import uuid from django.db import models +from django.contrib.postgres.fields import JSONField class Employee(models.Model): @@ -91,3 +92,10 @@ class UUID(models.Model): def __str__(self): return "%s" % self.uuid + + +class JSONFieldModel(models.Model): + data = JSONField(null=True) + + class Meta: + required_db_features = {"supports_json_field"} Index: Django-2.0.7/tests/expressions/test_queryset_values.py =================================================================== --- Django-2.0.7.orig/tests/expressions/test_queryset_values.py +++ Django-2.0.7/tests/expressions/test_queryset_values.py @@ -1,8 +1,8 @@ from django.db.models.aggregates import Sum from django.db.models.expressions import F -from django.test import TestCase +from django.test import TestCase, skipUnlessDBFeature -from .models import Company, Employee +from .models import Company, Employee, JSONFieldModel class ValuesExpressionsTests(TestCase): @@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase): with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) + @skipUnlessDBFeature("supports_json_field") + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") + + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values_list(f"data__{crafted_alias}") + def test_values_expression_group_by(self): # values() applies annotate() first, so values selected are grouped by # id, not firstname.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor