+59
-8
lines changedFilter options
+59
-8
lines changed Original file line number Diff line number Diff line change
@@ -86,7 +86,7 @@ def __init__(self, key_name, *args, **kwargs):
86 86 87 87
def as_sql(self, compiler, connection):
88 88
lhs, params = compiler.compile(self.lhs)
89 -
return "(%s -> '%s')" % (lhs, self.key_name), params
89 +
return '(%s -> %%s)' % lhs, [self.key_name] + params
90 90 91 91 92 92
class KeyTransformFactory:
@@ -109,12 +109,10 @@ def as_sql(self, compiler, connection):
109 109
if len(key_transforms) > 1:
110 110
return "(%s %s %%s)" % (lhs, self.nested_operator), [key_transforms] + params
111 111
try:
112 -
int(self.key_name)
112 +
lookup = int(self.key_name)
113 113
except ValueError:
114 -
lookup = "'%s'" % self.key_name
115 -
else:
116 -
lookup = "%s" % self.key_name
117 -
return "(%s %s %s)" % (lhs, self.operator, lookup), params
114 +
lookup = self.key_name
115 +
return '(%s %s %%s)' % (lhs, self.operator), [lookup] + params
118 116 119 117 120 118
class KeyTextTransform(KeyTransform):
@@ -36,3 +36,12 @@ Remember that absolutely NO guarantee is provided about the results of
36 36
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 37
``strip_tags()`` call without escaping it first, for example with
38 38
:func:`django.utils.html.escape`.
39 + 40 +
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
41 +
====================================================================================================
42 + 43 +
:lookup:`Key and index lookups <jsonfield.key>` for
44 +
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
45 +
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 +
were subject to SQL injection, using a suitably crafted dictionary, with
47 +
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
Original file line number Diff line number Diff line change
@@ -36,3 +36,12 @@ Remember that absolutely NO guarantee is provided about the results of
36 36
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 37
``strip_tags()`` call without escaping it first, for example with
38 38
:func:`django.utils.html.escape`.
39 + 40 +
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
41 +
====================================================================================================
42 + 43 +
:lookup:`Key and index lookups <jsonfield.key>` for
44 +
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
45 +
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 +
were subject to SQL injection, using a suitably crafted dictionary, with
47 +
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
Original file line number Diff line number Diff line change
@@ -37,6 +37,15 @@ Remember that absolutely NO guarantee is provided about the results of
37 37
``strip_tags()`` call without escaping it first, for example with
38 38
:func:`django.utils.html.escape`.
39 39 40 +
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
41 +
====================================================================================================
42 + 43 +
:lookup:`Key and index lookups <jsonfield.key>` for
44 +
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
45 +
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 +
were subject to SQL injection, using a suitably crafted dictionary, with
47 +
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
48 + 40 49
Bugfixes
41 50
========
42 51
@@ -1,8 +1,9 @@
1 1
import json
2 2 3 3
from django.core import checks, exceptions, serializers
4 +
from django.db import connection
4 5
from django.forms import Form
5 -
from django.test.utils import isolate_apps
6 +
from django.test.utils import CaptureQueriesContext, isolate_apps
6 7 7 8
from . import PostgreSQLSimpleTestCase, PostgreSQLTestCase
8 9
from .models import HStoreModel, PostgreSQLModel
@@ -185,6 +186,18 @@ def test_usage_in_subquery(self):
185 186
self.objs[:2]
186 187
)
187 188 189 +
def test_key_sql_injection(self):
190 +
with CaptureQueriesContext(connection) as queries:
191 +
self.assertFalse(
192 +
HStoreModel.objects.filter(**{
193 +
"field__test' = 'a') OR 1 = 1 OR ('d": 'x',
194 +
}).exists()
195 +
)
196 +
self.assertIn(
197 +
"""."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """,
198 +
queries[0]['sql'],
199 +
)
200 + 188 201 189 202
@isolate_apps('postgres_tests')
190 203
class TestChecks(PostgreSQLSimpleTestCase):
@@ -5,9 +5,10 @@
5 5 6 6
from django.core import checks, exceptions, serializers
7 7
from django.core.serializers.json import DjangoJSONEncoder
8 +
from django.db import connection
8 9
from django.db.models import Count, Q
9 10
from django.forms import CharField, Form, widgets
10 -
from django.test.utils import isolate_apps
11 +
from django.test.utils import CaptureQueriesContext, isolate_apps
11 12
from django.utils.html import escape
12 13 13 14
from . import PostgreSQLSimpleTestCase, PostgreSQLTestCase
@@ -322,6 +323,18 @@ def test_regex(self):
322 323
def test_iregex(self):
323 324
self.assertTrue(JSONModel.objects.filter(field__foo__iregex=r'^bAr$').exists())
324 325 326 +
def test_key_sql_injection(self):
327 +
with CaptureQueriesContext(connection) as queries:
328 +
self.assertFalse(
329 +
JSONModel.objects.filter(**{
330 +
"""field__test' = '"a"') OR 1 = 1 OR ('d""": 'x',
331 +
}).exists()
332 +
)
333 +
self.assertIn(
334 +
"""."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """,
335 +
queries[0]['sql'],
336 +
)
337 + 325 338 326 339
@isolate_apps('postgres_tests')
327 340
class TestChecks(PostgreSQLSimpleTestCase):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4