diff options
| author | Soumya Sambu <soumya.sambu@windriver.com> | 2024-08-25 15:59:14 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-08-25 18:12:26 -0400 |
| commit | 376f3a1aba9f20e7f87005b939ec0ee5931705c1 (patch) | |
| tree | c7bb20be96b8c600036f74c11e01840c353a6879 /meta-python/recipes-devtools/python/python3-django | |
| parent | b2ad711bcfd910afc0a97cb661a2ce05a530cb39 (diff) | |
| download | meta-openembedded-376f3a1aba9f20e7f87005b939ec0ee5931705c1.tar.gz | |
python3-django: Fix CVE-2024-42005
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key
as a passed *arg.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Upstream-patch:
https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-django')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch new file mode 100644 index 0000000000..e6b58fca79 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Simon Charette <charette.s@gmail.com> | ||
| 3 | Date: Thu, 25 Jul 2024 18:19:13 +0200 | ||
| 4 | Subject: [PATCH] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL | ||
| 5 | injection attacks against JSON fields. | ||
| 6 | |||
| 7 | Thanks Eyal (eyalgabay) for the report. | ||
| 8 | |||
| 9 | CVE: CVE-2024-42005 | ||
| 10 | |||
| 11 | Upstream-Status: Backport [https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28] | ||
| 12 | |||
| 13 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
| 14 | --- | ||
| 15 | django/db/models/sql/query.py | 2 ++ | ||
| 16 | tests/expressions/models.py | 7 +++++++ | ||
| 17 | tests/expressions/test_queryset_values.py | 17 +++++++++++++++-- | ||
| 18 | 3 files changed, 24 insertions(+), 2 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py | ||
| 21 | index 1e823cf..9b054bd 100644 | ||
| 22 | --- a/django/db/models/sql/query.py | ||
| 23 | +++ b/django/db/models/sql/query.py | ||
| 24 | @@ -2019,6 +2019,8 @@ class Query: | ||
| 25 | self.clear_select_fields() | ||
| 26 | |||
| 27 | if fields: | ||
| 28 | + for field in fields: | ||
| 29 | + self.check_alias(field) | ||
| 30 | field_names = [] | ||
| 31 | extra_names = [] | ||
| 32 | annotation_names = [] | ||
| 33 | diff --git a/tests/expressions/models.py b/tests/expressions/models.py | ||
| 34 | index 33f7850..fb80938 100644 | ||
| 35 | --- a/tests/expressions/models.py | ||
| 36 | +++ b/tests/expressions/models.py | ||
| 37 | @@ -97,3 +97,10 @@ class UUID(models.Model): | ||
| 38 | |||
| 39 | def __str__(self): | ||
| 40 | return "%s" % self.uuid | ||
| 41 | + | ||
| 42 | + | ||
| 43 | +class JSONFieldModel(models.Model): | ||
| 44 | + data = models.JSONField(null=True) | ||
| 45 | + | ||
| 46 | + class Meta: | ||
| 47 | + required_db_features = {"supports_json_field"} | ||
| 48 | diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py | ||
| 49 | index 0804531..bd52b8e 100644 | ||
| 50 | --- a/tests/expressions/test_queryset_values.py | ||
| 51 | +++ b/tests/expressions/test_queryset_values.py | ||
| 52 | @@ -1,8 +1,8 @@ | ||
| 53 | from django.db.models.aggregates import Sum | ||
| 54 | from django.db.models.expressions import F | ||
| 55 | -from django.test import TestCase | ||
| 56 | +from django.test import TestCase, skipUnlessDBFeature | ||
| 57 | |||
| 58 | -from .models import Company, Employee | ||
| 59 | +from .models import Company, Employee, JSONFieldModel | ||
| 60 | |||
| 61 | |||
| 62 | class ValuesExpressionsTests(TestCase): | ||
| 63 | @@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase): | ||
| 64 | with self.assertRaisesMessage(ValueError, msg): | ||
| 65 | Company.objects.values(**{crafted_alias: F("ceo__salary")}) | ||
| 66 | |||
| 67 | + @skipUnlessDBFeature("supports_json_field") | ||
| 68 | + def test_values_expression_alias_sql_injection_json_field(self): | ||
| 69 | + crafted_alias = """injected_name" from "expressions_company"; --""" | ||
| 70 | + msg = ( | ||
| 71 | + "Column aliases cannot contain whitespace characters, quotation marks, " | ||
| 72 | + "semicolons, or SQL comments." | ||
| 73 | + ) | ||
| 74 | + with self.assertRaisesMessage(ValueError, msg): | ||
| 75 | + JSONFieldModel.objects.values(f"data__{crafted_alias}") | ||
| 76 | + | ||
| 77 | + with self.assertRaisesMessage(ValueError, msg): | ||
| 78 | + JSONFieldModel.objects.values_list(f"data__{crafted_alias}") | ||
| 79 | + | ||
| 80 | def test_values_expression_group_by(self): | ||
| 81 | # values() applies annotate() first, so values selected are grouped by | ||
| 82 | # id, not firstname. | ||
| 83 | -- | ||
| 84 | 2.40.0 | ||