+108
-0
lines changedFilter options
+108
-0
lines changed Original file line number Diff line number Diff line change
@@ -40,10 +40,15 @@
40 40
from django.db.models.sql.datastructures import BaseTable, Empty, Join, MultiJoin
41 41
from django.db.models.sql.where import AND, OR, ExtraWhere, NothingNode, WhereNode
42 42
from django.utils.functional import cached_property
43 +
from django.utils.regex_helper import _lazy_re_compile
43 44
from django.utils.tree import Node
44 45 45 46
__all__ = ["Query", "RawQuery"]
46 47 48 +
# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
49 +
# SQL comments are forbidden in column aliases.
50 +
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
51 + 47 52 48 53
def get_field_names_from_opts(opts):
49 54
return set(
@@ -1077,8 +1082,16 @@ def join_parent_model(self, opts, model, alias, seen):
1077 1082
alias = seen[int_model] = join_info.joins[-1]
1078 1083
return alias or seen[None]
1079 1084 1085 +
def check_alias(self, alias):
1086 +
if FORBIDDEN_ALIAS_PATTERN.search(alias):
1087 +
raise ValueError(
1088 +
"Column aliases cannot contain whitespace characters, quotation marks, "
1089 +
"semicolons, or SQL comments."
1090 +
)
1091 + 1080 1092
def add_annotation(self, annotation, alias, is_summary=False, select=True):
1081 1093
"""Add a single annotation expression to the Query."""
1094 +
self.check_alias(alias)
1082 1095
annotation = annotation.resolve_expression(
1083 1096
self, allow_joins=True, reuse=None, summarize=is_summary
1084 1097
)
@@ -2234,6 +2247,7 @@ def add_extra(self, select, select_params, where, params, tables, order_by):
2234 2247
else:
2235 2248
param_iter = iter([])
2236 2249
for name, entry in select.items():
2250 +
self.check_alias(name)
2237 2251
entry = str(entry)
2238 2252
entry_params = []
2239 2253
pos = entry.find("%s")
@@ -5,3 +5,11 @@ Django 2.2.28 release notes
5 5
*April 11, 2022*
6 6 7 7
Django 2.2.28 fixes two security issues with severity "high" in 2.2.27.
8 + 9 +
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
10 +
====================================================================================================
11 + 12 +
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
13 +
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
14 +
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
15 +
``**kwargs`` passed to these methods.
Original file line number Diff line number Diff line change
@@ -7,6 +7,14 @@ Django 3.2.13 release notes
7 7
Django 3.2.13 fixes two security issues with severity "high" in
8 8
3.2.12 and a regression in 3.2.4.
9 9 10 +
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
11 +
====================================================================================================
12 + 13 +
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
14 +
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
15 +
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
16 +
``**kwargs`` passed to these methods.
17 + 10 18
Bugfixes
11 19
========
12 20
@@ -7,6 +7,14 @@ Django 4.0.4 release notes
7 7
Django 4.0.4 fixes two security issues with severity "high" and two bugs in
8 8
4.0.3.
9 9 10 +
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
11 +
====================================================================================================
12 + 13 +
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
14 +
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
15 +
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
16 +
``**kwargs`` passed to these methods.
17 + 10 18
Bugfixes
11 19
========
12 20
@@ -2029,6 +2029,15 @@ def test_exists_none_with_aggregate(self):
2029 2029
)
2030 2030
self.assertEqual(len(qs), 6)
2031 2031 2032 +
def test_alias_sql_injection(self):
2033 +
crafted_alias = """injected_name" from "aggregation_author"; --"""
2034 +
msg = (
2035 +
"Column aliases cannot contain whitespace characters, quotation marks, "
2036 +
"semicolons, or SQL comments."
2037 +
)
2038 +
with self.assertRaisesMessage(ValueError, msg):
2039 +
Author.objects.aggregate(**{crafted_alias: Avg("age")})
2040 + 2032 2041
def test_exists_extra_where_with_aggregate(self):
2033 2042
qs = Book.objects.all().annotate(
2034 2043
count=Count("id"),
@@ -1055,6 +1055,40 @@ def test_annotation_aggregate_with_m2o(self):
1055 1055
],
1056 1056
)
1057 1057 1058 +
def test_alias_sql_injection(self):
1059 +
crafted_alias = """injected_name" from "annotations_book"; --"""
1060 +
msg = (
1061 +
"Column aliases cannot contain whitespace characters, quotation marks, "
1062 +
"semicolons, or SQL comments."
1063 +
)
1064 +
with self.assertRaisesMessage(ValueError, msg):
1065 +
Book.objects.annotate(**{crafted_alias: Value(1)})
1066 + 1067 +
def test_alias_forbidden_chars(self):
1068 +
tests = [
1069 +
'al"ias',
1070 +
"a'lias",
1071 +
"ali`as",
1072 +
"alia s",
1073 +
"alias\t",
1074 +
"ali\nas",
1075 +
"alias--",
1076 +
"ali/*as",
1077 +
"alias*/",
1078 +
"alias;",
1079 +
# [] are used by MSSQL.
1080 +
"alias[",
1081 +
"alias]",
1082 +
]
1083 +
msg = (
1084 +
"Column aliases cannot contain whitespace characters, quotation marks, "
1085 +
"semicolons, or SQL comments."
1086 +
)
1087 +
for crafted_alias in tests:
1088 +
with self.subTest(crafted_alias):
1089 +
with self.assertRaisesMessage(ValueError, msg):
1090 +
Book.objects.annotate(**{crafted_alias: Value(1)})
1091 + 1058 1092 1059 1093
class AliasTests(TestCase):
1060 1094
@classmethod
@@ -1318,3 +1352,12 @@ def test_values_alias(self):
1318 1352
with self.subTest(operation=operation):
1319 1353
with self.assertRaisesMessage(FieldError, msg):
1320 1354
getattr(qs, operation)("rating_alias")
1355 + 1356 +
def test_alias_sql_injection(self):
1357 +
crafted_alias = """injected_name" from "annotations_book"; --"""
1358 +
msg = (
1359 +
"Column aliases cannot contain whitespace characters, quotation marks, "
1360 +
"semicolons, or SQL comments."
1361 +
)
1362 +
with self.assertRaisesMessage(ValueError, msg):
1363 +
Book.objects.alias(**{crafted_alias: Value(1)})
Original file line number Diff line number Diff line change
@@ -34,6 +34,15 @@ def test_values_expression(self):
34 34
[{"salary": 10}, {"salary": 20}, {"salary": 30}],
35 35
)
36 36 37 +
def test_values_expression_alias_sql_injection(self):
38 +
crafted_alias = """injected_name" from "expressions_company"; --"""
39 +
msg = (
40 +
"Column aliases cannot contain whitespace characters, quotation marks, "
41 +
"semicolons, or SQL comments."
42 +
)
43 +
with self.assertRaisesMessage(ValueError, msg):
44 +
Company.objects.values(**{crafted_alias: F("ceo__salary")})
45 + 37 46
def test_values_expression_group_by(self):
38 47
# values() applies annotate() first, so values selected are grouped by
39 48
# id, not firstname.
@@ -1892,6 +1892,15 @@ def test_extra_select_literal_percent_s(self):
1892 1892
Note.objects.extra(select={"foo": "'bar %%s'"})[0].foo, "bar %s"
1893 1893
)
1894 1894 1895 +
def test_extra_select_alias_sql_injection(self):
1896 +
crafted_alias = """injected_name" from "queries_note"; --"""
1897 +
msg = (
1898 +
"Column aliases cannot contain whitespace characters, quotation marks, "
1899 +
"semicolons, or SQL comments."
1900 +
)
1901 +
with self.assertRaisesMessage(ValueError, msg):
1902 +
Note.objects.extra(select={crafted_alias: "1"})
1903 + 1895 1904
def test_queryset_reuse(self):
1896 1905
# Using querysets doesn't mutate aliases.
1897 1906
authors = Author.objects.filter(Q(name="a1") | Q(name="nonexistent"))
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4