diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 08:10:22 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:33 +0200 |
commit | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch) | |
tree | e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/annotations | |
parent | 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff) | |
download | django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz |
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Diffstat (limited to 'tests/annotations')
-rw-r--r-- | tests/annotations/tests.py | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 5106a377ac..52a268c4ae 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -1076,6 +1076,40 @@ class NonAggregateAnnotationTestCase(TestCase): ], ) + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', + "a'lias", + "ali`as", + "alia s", + "alias\t", + "ali\nas", + "alias--", + "ali/*as", + "alias*/", + "alias;", + # [] are used by MSSQL. + "alias[", + "alias]", + ] + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + for crafted_alias in tests: + with self.subTest(crafted_alias): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + class AliasTests(TestCase): @classmethod @@ -1339,3 +1373,12 @@ class AliasTests(TestCase): with self.subTest(operation=operation): with self.assertRaisesMessage(FieldError, msg): getattr(qs, operation)("rating_alias") + + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) |