mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-13 03:41:43 +00:00
Code Issues Projects Releases Wiki Activity
Files
07dcc9149b00714384a032d1ff9c97ee73672480
meta-openembedded/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch
Soumya Sambu 376f3a1aba python3-django: Fix CVE-2024-42005 
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key
as a passed *arg.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-42005

Upstream-patch:
f4af67b9b4

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-08-25 18:12:26 -04:00

85 lines
3.1 KiB
Diff
Raw Blame History

From f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Mon Sep 17 00:00:00 2001
From: Simon Charette <charette.s@gmail.com>
Date: Thu, 25 Jul 2024 18:19:13 +0200
Subject: [PATCH] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL
injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
CVE: CVE-2024-42005
Upstream-Status: Backport [https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
django/db/models/sql/query.py | 2 ++
tests/expressions/models.py | 7 +++++++
tests/expressions/test_queryset_values.py | 17 +++++++++++++++--
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 1e823cf..9b054bd 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2019,6 +2019,8 @@ class Query:
self.clear_select_fields()
if fields:
+ for field in fields:
+ self.check_alias(field)
field_names = []
extra_names = []
annotation_names = []
diff --git a/tests/expressions/models.py b/tests/expressions/models.py
index 33f7850..fb80938 100644
--- a/tests/expressions/models.py
+++ b/tests/expressions/models.py
@@ -97,3 +97,10 @@ class UUID(models.Model):
def __str__(self):
return "%s" % self.uuid
+
+
+class JSONFieldModel(models.Model):
+ data = models.JSONField(null=True)
+
+ class Meta:
+ required_db_features = {"supports_json_field"}
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
index 0804531..bd52b8e 100644
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@@ -1,8 +1,8 @@
from django.db.models.aggregates import Sum
from django.db.models.expressions import F
-from django.test import TestCase
+from django.test import TestCase, skipUnlessDBFeature
-from .models import Company, Employee
+from .models import Company, Employee, JSONFieldModel
class ValuesExpressionsTests(TestCase):
@@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ @skipUnlessDBFeature("supports_json_field")
+ def test_values_expression_alias_sql_injection_json_field(self):
+ crafted_alias = """injected_name" from "expressions_company"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values(f"data__{crafted_alias}")
+
+ with self.assertRaisesMessage(ValueError, msg):
+ JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+
def test_values_expression_group_by(self):
# values() applies annotate() first, so values selected are grouped by
# id, not firstname.
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink