Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-01 08:10:22 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-11 08:59:33 +0200
commit: 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree: e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/aggregation
parent: 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)
download: django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
index 3922478bf3..61da0ebfe7 100644
--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
@@ -2048,6 +2048,15 @@ class AggregateTestCase(TestCase):
         )
         self.assertEqual(len(qs), 6)
 
+    def test_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "aggregation_author"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Author.objects.aggregate(**{crafted_alias: Avg("age")})
+
     def test_exists_extra_where_with_aggregate(self):
         qs = Book.objects.annotate(
             count=Count("id"),
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-01 08:10:22 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-11 08:59:33 +0200
commit	93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree	e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/aggregation
parent	62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)
download	django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz