forked from pool/python-Django
174 lines
8.3 KiB
Diff
174 lines
8.3 KiB
Diff
From b4d3036c04ae71d611edecf5cfc7d4e5b5927f81 Mon Sep 17 00:00:00 2001
|
|
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
Date: Wed, 10 Sep 2025 09:53:52 +0200
|
|
Subject: [PATCH 1/2] [5.2.x] Fixed CVE-2025-59681 -- Protected
|
|
QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection
|
|
in column aliases on MySQL/MariaDB.
|
|
|
|
Thanks sw0rd1ight for the report.
|
|
|
|
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
|
|
---
|
|
django/db/models/sql/query.py | 8 ++++----
|
|
docs/releases/4.2.25.txt | 9 ++++++++-
|
|
docs/releases/5.1.13.txt | 9 ++++++++-
|
|
docs/releases/5.2.7.txt | 9 +++++++++
|
|
tests/aggregation/tests.py | 4 ++--
|
|
tests/annotations/tests.py | 23 ++++++++++++-----------
|
|
tests/expressions/test_queryset_values.py | 8 ++++----
|
|
tests/queries/tests.py | 4 ++--
|
|
8 files changed, 49 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
|
|
index 5247616086..3a1cd73951 100644
|
|
--- a/django/db/models/sql/query.py
|
|
+++ b/django/db/models/sql/query.py
|
|
@@ -48,9 +48,9 @@ from django.utils.tree import Node
|
|
|
|
__all__ = ["Query", "RawQuery"]
|
|
|
|
-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
|
|
+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
|
|
# SQL comments are forbidden in column aliases.
|
|
-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
|
|
+FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
|
|
|
|
# Inspired from
|
|
# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
|
|
@@ -1208,8 +1208,8 @@ class Query(BaseExpression):
|
|
def check_alias(self, alias):
|
|
if FORBIDDEN_ALIAS_PATTERN.search(alias):
|
|
raise ValueError(
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, "
|
|
+ "quotation marks, semicolons, or SQL comments."
|
|
)
|
|
|
|
def add_annotation(self, annotation, alias, select=True):
|
|
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
|
|
index bf44c4d25f..2e41f19947 100644
|
|
--- a/tests/aggregation/tests.py
|
|
+++ b/tests/aggregation/tests.py
|
|
@@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase):
|
|
def test_alias_sql_injection(self):
|
|
crafted_alias = """injected_name" from "aggregation_author"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Author.objects.aggregate(**{crafted_alias: Avg("age")})
|
|
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
|
|
index 060d6324c7..7a12121224 100644
|
|
--- a/tests/annotations/tests.py
|
|
+++ b/tests/annotations/tests.py
|
|
@@ -1159,8 +1159,8 @@ class NonAggregateAnnotationTestCase(TestCase):
|
|
def test_alias_sql_injection(self):
|
|
crafted_alias = """injected_name" from "annotations_book"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Book.objects.annotate(**{crafted_alias: Value(1)})
|
|
@@ -1168,8 +1168,8 @@ class NonAggregateAnnotationTestCase(TestCase):
|
|
def test_alias_filtered_relation_sql_injection(self):
|
|
crafted_alias = """injected_name" from "annotations_book"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
|
|
@@ -1186,13 +1186,14 @@ class NonAggregateAnnotationTestCase(TestCase):
|
|
"ali/*as",
|
|
"alias*/",
|
|
"alias;",
|
|
- # [] are used by MSSQL.
|
|
+ # [] and # are used by MSSQL.
|
|
"alias[",
|
|
"alias]",
|
|
+ "ali#as",
|
|
]
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
for crafted_alias in tests:
|
|
with self.subTest(crafted_alias):
|
|
@@ -1492,8 +1493,8 @@ class AliasTests(TestCase):
|
|
def test_alias_sql_injection(self):
|
|
crafted_alias = """injected_name" from "annotations_book"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Book.objects.alias(**{crafted_alias: Value(1)})
|
|
@@ -1501,8 +1502,8 @@ class AliasTests(TestCase):
|
|
def test_alias_filtered_relation_sql_injection(self):
|
|
crafted_alias = """injected_name" from "annotations_book"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
|
|
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
|
|
index 47bd1358de..080ee06183 100644
|
|
--- a/tests/expressions/test_queryset_values.py
|
|
+++ b/tests/expressions/test_queryset_values.py
|
|
@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
|
|
def test_values_expression_alias_sql_injection(self):
|
|
crafted_alias = """injected_name" from "expressions_company"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Company.objects.values(**{crafted_alias: F("ceo__salary")})
|
|
@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
|
|
def test_values_expression_alias_sql_injection_json_field(self):
|
|
crafted_alias = """injected_name" from "expressions_company"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
JSONFieldModel.objects.values(f"data__{crafted_alias}")
|
|
diff --git a/tests/queries/tests.py b/tests/queries/tests.py
|
|
index 38b0a5ddfa..ffaabf48a0 100644
|
|
--- a/tests/queries/tests.py
|
|
+++ b/tests/queries/tests.py
|
|
@@ -1961,8 +1961,8 @@ class Queries5Tests(TestCase):
|
|
def test_extra_select_alias_sql_injection(self):
|
|
crafted_alias = """injected_name" from "queries_note"; --"""
|
|
msg = (
|
|
- "Column aliases cannot contain whitespace characters, quotation marks, "
|
|
- "semicolons, or SQL comments."
|
|
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
|
|
+ "marks, semicolons, or SQL comments."
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Note.objects.extra(select={crafted_alias: "1"})
|
|
--
|
|
2.39.5 (Apple Git-154)
|
|
|