Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection.

Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
2025-08-08 21:08:25 +00:00 · 2022-06-22 12:44:04 +02:00 · 2022-06-22 12:44:04 +02:00 · 54eb8a374d
commit 54eb8a374d
parent 425718726b
5 changed files with 61 additions and 3 deletions
--- a/tests/db_functions/datetime/test_extract_trunc.py
+++ b/tests/db_functions/datetime/test_extract_trunc.py
@ -235,6 +235,23 @@ class DateFunctionTests(TestCase):
                self.assertEqual(qs.count(), 1)
                self.assertGreaterEqual(str(qs.query).lower().count("extract"), 2)

+    def test_extract_lookup_name_sql_injection(self):
+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+        if settings.USE_TZ:
+            start_datetime = timezone.make_aware(start_datetime)
+            end_datetime = timezone.make_aware(end_datetime)
+        self.create_model(start_datetime, end_datetime)
+        self.create_model(end_datetime, start_datetime)
+
+        msg = "Invalid lookup_name: "
+        with self.assertRaisesMessage(ValueError, msg):
+            DTModel.objects.filter(
+                start_datetime__year=Extract(
+                    "start_datetime", "day' FROM start_datetime)) OR 1=1;--"
+                )
+            ).exists()
+
    def test_extract_func(self):
        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
@ -915,6 +932,23 @@ class DateFunctionTests(TestCase):
            [obj],
        )

+    def test_trunc_lookup_name_sql_injection(self):
+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+        if settings.USE_TZ:
+            start_datetime = timezone.make_aware(start_datetime)
+            end_datetime = timezone.make_aware(end_datetime)
+        self.create_model(start_datetime, end_datetime)
+        self.create_model(end_datetime, start_datetime)
+        msg = "Invalid kind: "
+        with self.assertRaisesMessage(ValueError, msg):
+            DTModel.objects.filter(
+                start_datetime__date=Trunc(
+                    "start_datetime",
+                    "year', start_datetime)) OR 1=1;--",
+                )
+            ).exists()
+
    def test_trunc_func(self):
        start_datetime = datetime(999, 6, 15, 14, 30, 50, 321)
        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)