File CVE-2019-14234-prevent-sql-injection.patch of Package python-Django

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-14234-prevent-sql-injection.patch of Package python-Django

commit a23a39a89df00ae87e077e01d25c3ae8b27c8b40
Author: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date:   Mon, 22 Jul 2019 10:45:26 +0200

[1.8.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.
    
    Thanks to Sage M. Abdullah for the report and initial patch.
    Thanks Florian Apolloner for reviews.

diff --git a/django/contrib/postgres/fields/hstore.py b/django/contrib/postgres/fields/hstore.py
index b8e47edf17..410d5a0d36 100644
--- a/django/contrib/postgres/fields/hstore.py
+++ b/django/contrib/postgres/fields/hstore.py
@@ -78,7 +78,7 @@ class KeyTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return "(%s -> '%s')" % (lhs, self.key_name), params
+        return '(%s -> %%s)' % lhs, [self.key_name] + params
 
 
 class KeyTransformFactory(object):
diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt
index 168fb9f275..cfd55be205 100644
--- a/docs/releases/1.8.19.txt
+++ b/docs/releases/1.8.19.txt
@@ -59,3 +59,12 @@ Remember that absolutely NO guarantee is provided about the results of
 ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
 ``strip_tags()`` call without escaping it first, for example with
 :func:`django.utils.html.escape`.
+
+CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
+====================================================================================================
+
+:lookup:`Key and index lookups <jsonfield.key>` for
+:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
+<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
+were subject to SQL injection, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
diff --git a/tests/postgres_tests/test_hstore.py b/tests/postgres_tests/test_hstore.py
index 6333c82e71..9deeb67cd0 100644
--- a/tests/postgres_tests/test_hstore.py
+++ b/tests/postgres_tests/test_hstore.py
@@ -4,8 +4,10 @@ from django.contrib.postgres import forms
 from django.contrib.postgres.fields import HStoreField
 from django.contrib.postgres.validators import KeysValidator
 from django.core import exceptions, serializers
+from django.db import connection
 from django.forms import Form
 from django.test import TestCase
+from django.test.utils import CaptureQueriesContext
 
 from .models import HStoreModel
 
@@ -128,6 +130,18 @@ class TestQuerying(TestCase):
             self.objs[:2]
         )
 
+    def test_key_sql_injection(self):
+        with CaptureQueriesContext(connection) as queries:
+            self.assertFalse(
+                HStoreModel.objects.filter(**{
+                    "field__test' = 'a') OR 1 = 1 OR ('d": 'x',
+                }).exists()
+            )
+        self.assertIn(
+            """."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """,
+            queries[0]['sql'],
+        )
+
 
 class TestSerialization(TestCase):
     test_data = ('[{"fields": {"field": "{\\"a\\": \\"b\\"}"}, '

Places

File CVE-2019-14234-prevent-sql-injection.patch of Package python-Django

Places