diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 08:10:22 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:33 +0200 |
commit | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch) | |
tree | e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/aggregation | |
parent | 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff) | |
download | django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz |
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Diffstat (limited to 'tests/aggregation')
-rw-r--r-- | tests/aggregation/tests.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index 3922478bf3..61da0ebfe7 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2048,6 +2048,15 @@ class AggregateTestCase(TestCase): ) self.assertEqual(len(qs), 6) + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "aggregation_author"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) + def test_exists_extra_where_with_aggregate(self): qs = Book.objects.annotate( count=Count("id"), |