+78
-9
lines changedFilter options
+78
-9
lines changed Original file line number Diff line number Diff line change
@@ -54,7 +54,6 @@ class DatabaseFeatures(BaseDatabaseFeatures):
54 54
only_supports_unbounded_with_preceding_and_following = True
55 55
supports_aggregate_filter_clause = True
56 56
supported_explain_formats = {'JSON', 'TEXT', 'XML', 'YAML'}
57 -
validates_explain_options = False # A query will error on invalid options.
58 57
supports_deferrable_unique_constraints = True
59 58
has_json_operators = True
60 59
json_key_contains_list_matching_requires_list = True
@@ -7,6 +7,18 @@
7 7
class DatabaseOperations(BaseDatabaseOperations):
8 8
cast_char_field_without_max_length = 'varchar'
9 9
explain_prefix = 'EXPLAIN'
10 +
explain_options = frozenset(
11 +
[
12 +
"ANALYZE",
13 +
"BUFFERS",
14 +
"COSTS",
15 +
"SETTINGS",
16 +
"SUMMARY",
17 +
"TIMING",
18 +
"VERBOSE",
19 +
"WAL",
20 +
]
21 +
)
10 22
cast_data_types = {
11 23
'AutoField': 'integer',
12 24
'BigAutoField': 'bigint',
@@ -258,15 +270,20 @@ def subtract_temporals(self, internal_type, lhs, rhs):
258 270
return super().subtract_temporals(internal_type, lhs, rhs)
259 271 260 272
def explain_query_prefix(self, format=None, **options):
261 -
prefix = super().explain_query_prefix(format)
262 273
extra = {}
263 -
if format:
264 -
extra['FORMAT'] = format
274 +
# Normalize options.
265 275
if options:
266 -
extra.update({
267 -
name.upper(): 'true' if value else 'false'
276 +
options = {
277 +
name.upper(): "true" if value else "false"
268 278
for name, value in options.items()
269 -
})
279 +
}
280 +
for valid_option in self.explain_options:
281 +
value = options.pop(valid_option, None)
282 +
if value is not None:
283 +
extra[valid_option.upper()] = value
284 +
prefix = super().explain_query_prefix(format, **options)
285 +
if format:
286 +
extra['FORMAT'] = format
270 287
if extra:
271 288
prefix += ' (%s)' % ', '.join('%s %s' % i for i in extra.items())
272 289
return prefix
@@ -50,6 +50,10 @@
50 50
# SQL comments are forbidden in column aliases.
51 51
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
52 52 53 +
# Inspired from
54 +
# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
55 +
EXPLAIN_OPTIONS_PATTERN = _lazy_re_compile(r"[\w\-]+")
56 + 53 57 54 58
def get_field_names_from_opts(opts):
55 59
return set(chain.from_iterable(
@@ -558,6 +562,12 @@ def has_results(self, using):
558 562 559 563
def explain(self, using, format=None, **options):
560 564
q = self.clone()
565 +
for option_name in options:
566 +
if (
567 +
not EXPLAIN_OPTIONS_PATTERN.fullmatch(option_name) or
568 +
"--" in option_name
569 +
):
570 +
raise ValueError(f"Invalid option name: {option_name!r}.")
561 571
q.explain_query = True
562 572
q.explain_format = format
563 573
q.explain_options = options
@@ -13,3 +13,10 @@ CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate(
13 13
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
14 14
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
15 15
``**kwargs`` passed to these methods.
16 + 17 +
CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL
18 +
=========================================================================================
19 + 20 +
:meth:`.QuerySet.explain` method was subject to SQL injection in option names,
21 +
using a suitably crafted dictionary, with dictionary expansion, as the
22 +
``**options`` argument.
Original file line number Diff line number Diff line change
@@ -15,6 +15,13 @@ CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate(
15 15
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
16 16
``**kwargs`` passed to these methods.
17 17 18 +
CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL
19 +
=========================================================================================
20 + 21 +
:meth:`.QuerySet.explain` method was subject to SQL injection in option names,
22 +
using a suitably crafted dictionary, with dictionary expansion, as the
23 +
``**options`` argument.
24 + 18 25
Bugfixes
19 26
========
20 27
@@ -34,8 +34,8 @@ def test_basic(self):
34 34 35 35
@skipUnlessDBFeature('validates_explain_options')
36 36
def test_unknown_options(self):
37 -
with self.assertRaisesMessage(ValueError, 'Unknown options: test, test2'):
38 -
Tag.objects.all().explain(test=1, test2=1)
37 +
with self.assertRaisesMessage(ValueError, "Unknown options: TEST, TEST2"):
38 +
Tag.objects.all().explain(**{"TEST": 1, "TEST2": 1})
39 39 40 40
def test_unknown_format(self):
41 41
msg = 'DOES NOT EXIST is not a recognized format.'
@@ -68,6 +68,35 @@ def test_postgres_options(self):
68 68
option = '{} {}'.format(name.upper(), 'true' if value else 'false')
69 69
self.assertIn(option, captured_queries[0]['sql'])
70 70 71 +
def test_option_sql_injection(self):
72 +
qs = Tag.objects.filter(name="test")
73 +
options = {"SUMMARY true) SELECT 1; --": True}
74 +
msg = "Invalid option name: 'SUMMARY true) SELECT 1; --'"
75 +
with self.assertRaisesMessage(ValueError, msg):
76 +
qs.explain(**options)
77 + 78 +
def test_invalid_option_names(self):
79 +
qs = Tag.objects.filter(name="test")
80 +
tests = [
81 +
'opt"ion',
82 +
"o'ption",
83 +
"op`tion",
84 +
"opti on",
85 +
"option--",
86 +
"optio\tn",
87 +
"o\nption",
88 +
"option;",
89 +
"你 好",
90 +
# [] are used by MSSQL.
91 +
"option[",
92 +
"option]",
93 +
]
94 +
for invalid_option in tests:
95 +
with self.subTest(invalid_option):
96 +
msg = f"Invalid option name: {invalid_option!r}"
97 +
with self.assertRaisesMessage(ValueError, msg):
98 +
qs.explain(**{invalid_option: True})
99 + 71 100
@unittest.skipUnless(connection.vendor == 'mysql', 'MySQL specific')
72 101
def test_mysql_text_to_traditional(self):
73 102
# Ensure these cached properties are initialized to prevent queries for
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4