Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-01 08:10:22 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-11 08:59:33 +0200
commit: 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree: e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/queries
parent: 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)
download: django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/queries/tests.py b/tests/queries/tests.py
index f9d2ebf98f..7b70a5ae0a 100644
--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
@@ -1898,6 +1898,15 @@ class Queries5Tests(TestCase):
             Note.objects.extra(select={"foo": "'bar %%s'"})[0].foo, "bar %s"
         )
 
+    def test_extra_select_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "queries_note"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Note.objects.extra(select={crafted_alias: "1"})
+
     def test_queryset_reuse(self):
         # Using querysets doesn't mutate aliases.
         authors = Author.objects.filter(Q(name="a1") | Q(name="nonexistent"))
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-01 08:10:22 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-11 08:59:33 +0200
commit	93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch)
tree	e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/queries
parent	62739b6e2630e37faa68a86a59fad135cc788cd7 (diff)
download	django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz