+41
-7
lines changedFilter options
+41
-7
lines changed Original file line number Diff line number Diff line change
@@ -86,7 +86,7 @@ def __init__(self, key_name, *args, **kwargs):
86 86 87 87
def as_sql(self, compiler, connection):
88 88
lhs, params = compiler.compile(self.lhs)
89 -
return "(%s -> '%s')" % (lhs, self.key_name), params
89 +
return '(%s -> %%s)' % lhs, [self.key_name] + params
90 90 91 91 92 92
class KeyTransformFactory(object):
@@ -104,12 +104,10 @@ def as_sql(self, compiler, connection):
104 104
if len(key_transforms) > 1:
105 105
return "(%s %s %%s)" % (lhs, self.nested_operator), [key_transforms] + params
106 106
try:
107 -
int(self.key_name)
107 +
lookup = int(self.key_name)
108 108
except ValueError:
109 -
lookup = "'%s'" % self.key_name
110 -
else:
111 -
lookup = "%s" % self.key_name
112 -
return "(%s %s %s)" % (lhs, self.operator, lookup), params
109 +
lookup = self.key_name
110 +
return '(%s %s %%s)' % (lhs, self.operator), [lookup] + params
113 111 114 112 115 113
class KeyTextTransform(KeyTransform):
@@ -36,3 +36,12 @@ Remember that absolutely NO guarantee is provided about the results of
36 36
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 37
``strip_tags()`` call without escaping it first, for example with
38 38
:func:`django.utils.html.escape`.
39 + 40 +
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
41 +
====================================================================================================
42 + 43 +
:lookup:`Key and index lookups <jsonfield.key>` for
44 +
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
45 +
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 +
were subject to SQL injection, using a suitably crafted dictionary, with
47 +
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
Original file line number Diff line number Diff line change
@@ -4,8 +4,9 @@
4 4
import json
5 5 6 6
from django.core import exceptions, serializers
7 +
from django.db import connection
7 8
from django.forms import Form
8 -
from django.test.utils import modify_settings
9 +
from django.test.utils import CaptureQueriesContext, modify_settings
9 10 10 11
from . import PostgreSQLTestCase
11 12
from .models import HStoreModel
@@ -167,6 +168,18 @@ def test_usage_in_subquery(self):
167 168
self.objs[:2]
168 169
)
169 170 171 +
def test_key_sql_injection(self):
172 +
with CaptureQueriesContext(connection) as queries:
173 +
self.assertFalse(
174 +
HStoreModel.objects.filter(**{
175 +
"field__test' = 'a') OR 1 = 1 OR ('d": 'x',
176 +
}).exists()
177 +
)
178 +
self.assertIn(
179 +
"""."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """,
180 +
queries[0]['sql'],
181 +
)
182 + 170 183 171 184
class TestSerialization(HStoreTestCase):
172 185
test_data = ('[{"fields": {"field": "{\\"a\\": \\"b\\"}"}, '
@@ -6,8 +6,10 @@
6 6 7 7
from django.core import exceptions, serializers
8 8
from django.core.serializers.json import DjangoJSONEncoder
9 +
from django.db import connection
9 10
from django.forms import CharField, Form, widgets
10 11
from django.test import skipUnlessDBFeature
12 +
from django.test.utils import CaptureQueriesContext
11 13
from django.utils.html import escape
12 14 13 15
from . import PostgreSQLTestCase
@@ -263,6 +265,18 @@ def test_regex(self):
263 265
def test_iregex(self):
264 266
self.assertTrue(JSONModel.objects.filter(field__foo__iregex=r'^bAr$').exists())
265 267 268 +
def test_key_sql_injection(self):
269 +
with CaptureQueriesContext(connection) as queries:
270 +
self.assertFalse(
271 +
JSONModel.objects.filter(**{
272 +
"""field__test' = '"a"') OR 1 = 1 OR ('d""": 'x',
273 +
}).exists()
274 +
)
275 +
self.assertIn(
276 +
"""."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """,
277 +
queries[0]['sql'],
278 +
)
279 + 266 280 267 281
@skipUnlessDBFeature('has_jsonb_datatype')
268 282
class TestSerialization(PostgreSQLTestCase):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4