+38
-2
lines changedFilter options
+38
-2
lines changed Original file line number Diff line number Diff line change
@@ -2446,6 +2446,8 @@ def set_values(self, fields):
2446 2446
self.has_select_fields = True
2447 2447 2448 2448
if fields:
2449 +
for field in fields:
2450 +
self.check_alias(field)
2449 2451
field_names = []
2450 2452
extra_names = []
2451 2453
annotation_names = []
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
30 30
subject to a potential denial-of-service attack via certain inputs with a very
31 31
large number of Unicode characters.
32 32 33 +
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
34 +
======================================================================================
35 + 36 +
:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
37 +
with a ``JSONField`` were subject to SQL injection in column aliases, via a
38 +
crafted JSON object key as a passed ``*arg``.
39 + 33 40
Bugfixes
34 41
========
35 42
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
30 30
subject to a potential denial-of-service attack via certain inputs with a very
31 31
large number of Unicode characters.
32 32 33 +
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
34 +
======================================================================================
35 + 36 +
:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
37 +
with a ``JSONField`` were subject to SQL injection in column aliases, via a
38 +
crafted JSON object key as a passed ``*arg``.
39 + 33 40
Bugfixes
34 41
========
35 42
@@ -107,3 +107,10 @@ class UUIDPK(models.Model):
107 107
class UUID(models.Model):
108 108
uuid = models.UUIDField(null=True)
109 109
uuid_fk = models.ForeignKey(UUIDPK, models.CASCADE, null=True)
110 + 111 + 112 +
class JSONFieldModel(models.Model):
113 +
data = models.JSONField(null=True)
114 + 115 +
class Meta:
116 +
required_db_features = {"supports_json_field"}
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
1 1
from django.db.models import F, Sum
2 -
from django.test import TestCase
2 +
from django.test import TestCase, skipUnlessDBFeature
3 3 4 -
from .models import Company, Employee
4 +
from .models import Company, Employee, JSONFieldModel
5 5 6 6 7 7
class ValuesExpressionsTests(TestCase):
@@ -43,6 +43,19 @@ def test_values_expression_alias_sql_injection(self):
43 43
with self.assertRaisesMessage(ValueError, msg):
44 44
Company.objects.values(**{crafted_alias: F("ceo__salary")})
45 45 46 +
@skipUnlessDBFeature("supports_json_field")
47 +
def test_values_expression_alias_sql_injection_json_field(self):
48 +
crafted_alias = """injected_name" from "expressions_company"; --"""
49 +
msg = (
50 +
"Column aliases cannot contain whitespace characters, quotation marks, "
51 +
"semicolons, or SQL comments."
52 +
)
53 +
with self.assertRaisesMessage(ValueError, msg):
54 +
JSONFieldModel.objects.values(f"data__{crafted_alias}")
55 + 56 +
with self.assertRaisesMessage(ValueError, msg):
57 +
JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
58 + 46 59
def test_values_expression_group_by(self):
47 60
# values() applies annotate() first, so values selected are grouped by
48 61
# id, not firstname.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4