diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 08:10:22 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:33 +0200 |
commit | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch) | |
tree | e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/expressions | |
parent | 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff) | |
download | django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz |
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Diffstat (limited to 'tests/expressions')
-rw-r--r-- | tests/expressions/test_queryset_values.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 147f02fffb..0dba623167 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -34,6 +34,15 @@ class ValuesExpressionsTests(TestCase): [{"salary": 10}, {"salary": 20}, {"salary": 30}], ) + def test_values_expression_alias_sql_injection(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) + def test_values_expression_group_by(self): # values() applies annotate() first, so values selected are grouped by # id, not firstname. |