diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 08:10:22 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:33 +0200 |
commit | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch) | |
tree | e5ea1e69aa37a0ce632480095229fe5afaa47b2f /tests/queries | |
parent | 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff) | |
download | django-93cae5cb2f9a4ef1514cf1a41f714fef08005200.tar.gz |
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Diffstat (limited to 'tests/queries')
-rw-r--r-- | tests/queries/tests.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/queries/tests.py b/tests/queries/tests.py index f9d2ebf98f..7b70a5ae0a 100644 --- a/tests/queries/tests.py +++ b/tests/queries/tests.py @@ -1898,6 +1898,15 @@ class Queries5Tests(TestCase): Note.objects.extra(select={"foo": "'bar %%s'"})[0].foo, "bar %s" ) + def test_extra_select_alias_sql_injection(self): + crafted_alias = """injected_name" from "queries_note"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) + def test_queryset_reuse(self): # Using querysets doesn't mutate aliases. authors = Author.objects.filter(Q(name="a1") | Q(name="nonexistent")) |