Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

[3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL.

Browse Source 
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
This commit is contained in:
Mariusz Felisiak 2022-04-01 13:48:47 +02:00
parent 2044dac5c6
commit 9e19accb6e
6 changed files with 78 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
django/db/backends/postgresql/features.py
View File

@ -54,7 +54,6 @@ class DatabaseFeatures(BaseDatabaseFeatures):
only_supports_unbounded_with_preceding_and_following = True
supports_aggregate_filter_clause = True
supported_explain_formats = {'JSON', 'TEXT', 'XML', 'YAML'}
validates_explain_options = False # A query will error on invalid options.
supports_deferrable_unique_constraints = True
has_json_operators = True
json_key_contains_list_matching_requires_list = True

29
django/db/backends/postgresql/operations.py
View File

@ -7,6 +7,18 @@ from django.db.backends.base.operations import BaseDatabaseOperations
class DatabaseOperations(BaseDatabaseOperations):
cast_char_field_without_max_length = 'varchar'
explain_prefix = 'EXPLAIN'
explain_options = frozenset(
[
"ANALYZE",
"BUFFERS",
"COSTS",
"SETTINGS",
"SUMMARY",
"TIMING",
"VERBOSE",
"WAL",
]
)
cast_data_types = {
'AutoField': 'integer',
'BigAutoField': 'bigint',
@ -258,15 +270,20 @@ class DatabaseOperations(BaseDatabaseOperations):
return super().subtract_temporals(internal_type, lhs, rhs)
def explain_query_prefix(self, format=None, **options):
prefix = super().explain_query_prefix(format)
extra = {}
# Normalize options.
if options:
options = {
name.upper(): "true" if value else "false"
for name, value in options.items()
}
for valid_option in self.explain_options:
value = options.pop(valid_option, None)
if value is not None:
extra[valid_option.upper()] = value
prefix = super().explain_query_prefix(format, **options)
if format:
extra['FORMAT'] = format
if options:
extra.update({
name.upper(): 'true' if value else 'false'
for name, value in options.items()
})
if extra:
prefix += ' (%s)' % ', '.join('%s %s' % i for i in extra.items())
return prefix

10
django/db/models/sql/query.py
View File

@ -50,6 +50,10 @@ __all__ = ['Query', 'RawQuery']
# SQL comments are forbidden in column aliases.
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
# Inspired from
# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
EXPLAIN_OPTIONS_PATTERN = _lazy_re_compile(r"[\w\-]+")
def get_field_names_from_opts(opts):
return set(chain.from_iterable(
@ -558,6 +562,12 @@ class Query(BaseExpression):
def explain(self, using, format=None, **options):
q = self.clone()
for option_name in options:
if (
not EXPLAIN_OPTIONS_PATTERN.fullmatch(option_name) or
"--" in option_name
):
raise ValueError(f"Invalid option name: {option_name!r}.")
q.explain_query = True
q.explain_format = format
q.explain_options = options

7
docs/releases/2.2.28.txt
View File

@ -13,3 +13,10 @@ CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate(
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.
CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL
=========================================================================================
:meth:`.QuerySet.explain` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
``**options`` argument.

7
docs/releases/3.2.13.txt
View File

@ -15,6 +15,13 @@ CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate(
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.
CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL
=========================================================================================
:meth:`.QuerySet.explain` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
``**options`` argument.
Bugfixes
========

33
tests/queries/test_explain.py
View File

@ -34,8 +34,8 @@ class ExplainTests(TestCase):
@skipUnlessDBFeature('validates_explain_options')
def test_unknown_options(self):
with self.assertRaisesMessage(ValueError, 'Unknown options: test, test2'):
Tag.objects.all().explain(test=1, test2=1)
with self.assertRaisesMessage(ValueError, "Unknown options: TEST, TEST2"):
Tag.objects.all().explain(**{"TEST": 1, "TEST2": 1})
def test_unknown_format(self):
msg = 'DOES NOT EXIST is not a recognized format.'
@ -68,6 +68,35 @@ class ExplainTests(TestCase):
option = '{} {}'.format(name.upper(), 'true' if value else 'false')
self.assertIn(option, captured_queries[0]['sql'])
def test_option_sql_injection(self):
qs = Tag.objects.filter(name="test")
options = {"SUMMARY true) SELECT 1; --": True}
msg = "Invalid option name: 'SUMMARY true) SELECT 1; --'"
with self.assertRaisesMessage(ValueError, msg):
qs.explain(**options)
def test_invalid_option_names(self):
qs = Tag.objects.filter(name="test")
tests = [
'opt"ion',
"o'ption",
"op`tion",
"opti on",
"option--",
"optio\tn",
"o\nption",
"option;",
"你 好",
# [] are used by MSSQL.
"option[",
"option]",
]
for invalid_option in tests:
with self.subTest(invalid_option):
msg = f"Invalid option name: {invalid_option!r}"
with self.assertRaisesMessage(ValueError, msg):
qs.explain(**{invalid_option: True})
@unittest.skipUnless(connection.vendor == 'mysql', 'MySQL specific')
def test_mysql_text_to_traditional(self):
# Ensure these cached properties are initialized to prevent queries for