Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Escaping of JSON attributes and CVE-2024-42005

77 views
Skip to first unread message

Ole Laursen

unread,
Aug 28, 2024, 9:36:43 AM8/28/24
to Django developers (Contributions to Django itself)
Hi!

Regarding the .values() problem with JSON fields, has anyone as of yet thought about how escaping of attribute names in JSON fields is supposed to work?

We are using a JSON field to store user-defined extension fields. So say the user wants a "foo" text field. Then we'd store:

  o.data = {}
  o.data['foo'] = "Some text"

Then later, we can do SomeModel.objects.filter(data__foo__icontains="some") or SomeModel.objects.values_list('data__foo').

But in reality, since this is user defined, 'foo' above comes from a variable so the filter() has to be done with **{'data__' + field_name + '__icontains': "some"}. And then what happens when the user wants a field called "Foo the Bar"? Or "__init__"?

I haven't found a way to escape the field names in the documentation. Perhaps I'm not looking in the right place? It seems to me that we need something like JSONPath('data__', field_name) that hooks into the JSONField infrastructure.

Just to be clear, we have this in production in a fairly large system, and solved the escape problem by constraining the field names from containing __ and some other things. But not spaces, so were bitten by the new runtime check on .values().


Ole

charettes

unread,
Aug 30, 2024, 6:17:06 PM8/30/24
to Django developers (Contributions to Django itself)
Hello Ole, this was discussed during the security enforcement patch design but wasn't part of the public announcement unfortunately.

The solution is to alias a KT[0] expression and then filter against it.

In you particular example that would be

from django.db.models import KT

SomeModel.objects.alias(
    some_valid_alias=KT(f"data__{field_name}")
).filter(some_valid_alias__icontains="some")

Note that the above will break if `field_name` contains `__` so you might want to consider using `KeyTextTransform`[1] directly.

Given the above works as we expected and we intended it to be the escape hatch we should likely document it in the release notes.

Please file a ticket[2] if you believe this worthy of doing.

Cheers,
Simon

Reply all
Reply to author
Forward
0 new messages