diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2025-09-10 09:53:52 +0200 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-01 08:11:45 -0400 |
| commit | 41b43c74bda19753c757036673ea9db74acf494a (patch) | |
| tree | a5c7c19d5c4e952afaea9e62ef71e803c58589b0 | |
| parent | 6c82b0bc91fc650891b0b411ac4a5a86cf0cf3e8 (diff) | |
Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
| -rw-r--r-- | django/db/models/sql/query.py | 17 | ||||
| -rw-r--r-- | docs/releases/4.2.25.txt | 9 | ||||
| -rw-r--r-- | docs/releases/5.1.13.txt | 9 | ||||
| -rw-r--r-- | docs/releases/5.2.7.txt | 9 | ||||
| -rw-r--r-- | tests/aggregation/tests.py | 4 | ||||
| -rw-r--r-- | tests/annotations/tests.py | 43 | ||||
| -rw-r--r-- | tests/expressions/test_queryset_values.py | 8 | ||||
| -rw-r--r-- | tests/queries/tests.py | 4 |
8 files changed, 64 insertions, 39 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 39ecab2e91..84950d4ec0 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -51,12 +51,12 @@ from django.utils.tree import Node __all__ = ["Query", "RawQuery"] # RemovedInDjango70Warning: When the deprecation ends, replace with: -# Quotation marks ('"`[]), whitespace characters, semicolons, percent signs -# or inline SQL comments are forbidden in column aliases. -# FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|%|--|/\*|\*/") -# Quotation marks ('"`[]), whitespace characters, semicolons, or inline +# Quotation marks ('"`[]), whitespace characters, semicolons, percent signs, +# hashes, or inline SQL comments are forbidden in column aliases. +# FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|%|#|--|/\*|\*/") +# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline # SQL comments are forbidden in column aliases. -FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") # Inspired from # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS @@ -1222,11 +1222,12 @@ class Query(BaseExpression): ) if FORBIDDEN_ALIAS_PATTERN.search(alias): raise ValueError( - "Column aliases cannot contain whitespace characters, quotation marks, " + "Column aliases cannot contain whitespace characters, hashes, " # RemovedInDjango70Warning: When the deprecation ends, replace # with: - # "semicolons, percent signs, or SQL comments." - "semicolons, or SQL comments." + # "quotation marks, semicolons, percent signs, or SQL " + # "comments." + "quotation marks, semicolons, or SQL comments." ) def add_annotation(self, annotation, alias, select=True): diff --git a/docs/releases/4.2.25.txt b/docs/releases/4.2.25.txt index 69f238c3c1..5412777055 100644 --- a/docs/releases/4.2.25.txt +++ b/docs/releases/4.2.25.txt @@ -7,4 +7,11 @@ Django 4.2.25 release notes Django 4.2.25 fixes one security issue with severity "high" and one security issue with severity "low" in 4.2.24. -... +CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB +====================================================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`, +:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject +to SQL injection in column aliases, using a suitably crafted dictionary, with +dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to +:cve:`2022-28346`). diff --git a/docs/releases/5.1.13.txt b/docs/releases/5.1.13.txt index a181694be2..96b81c0102 100644 --- a/docs/releases/5.1.13.txt +++ b/docs/releases/5.1.13.txt @@ -7,4 +7,11 @@ Django 5.1.13 release notes Django 5.1.13 fixes one security issue with severity "high" and one security issue with severity "low" in 5.1.12. -... +CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB +====================================================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`, +:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject +to SQL injection in column aliases, using a suitably crafted dictionary, with +dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to +:cve:`2022-28346`). diff --git a/docs/releases/5.2.7.txt b/docs/releases/5.2.7.txt index 11dcff6c7c..05d03a991e 100644 --- a/docs/releases/5.2.7.txt +++ b/docs/releases/5.2.7.txt @@ -8,6 +8,15 @@ Django 5.2.7 fixes one security issue with severity "high", one security issue with severity "low", and one bug in 5.2.6. Also, the latest string translations from Transifex are incorporated. +CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB +====================================================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`, +:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject +to SQL injection in column aliases, using a suitably crafted dictionary, with +dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to +:cve:`2022-28346`). + Bugfixes ======== diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index bd33a532b3..f2ec4bd343 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2244,8 +2244,8 @@ class AggregateTestCase(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "aggregation_author"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Author.objects.aggregate(**{crafted_alias: Avg("age")}) diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index cf1eebf8d7..a114480d48 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -1161,12 +1161,12 @@ class NonAggregateAnnotationTestCase(TestCase): crafted_alias = """injected_name" from "annotations_book"; --""" # RemovedInDjango70Warning: When the deprecation ends, replace with: # msg = ( - # "Column aliases cannot contain whitespace characters, quotation " - # "marks, semicolons, percent signs, or SQL comments." + # "Column aliases cannot contain whitespace characters, hashes, " + # "quotation marks, semicolons, percent signs, or SQL comments." # ) msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) @@ -1175,12 +1175,12 @@ class NonAggregateAnnotationTestCase(TestCase): crafted_alias = """injected_name" from "annotations_book"; --""" # RemovedInDjango70Warning: When the deprecation ends, replace with: # msg = ( - # "Column aliases cannot contain whitespace characters, quotation " - # "marks, semicolons, percent signs, or SQL comments." + # "Column aliases cannot contain whitespace characters, hashes, " + # "quotation marks, semicolons, percent signs, or SQL comments." # ) msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) @@ -1199,18 +1199,19 @@ class NonAggregateAnnotationTestCase(TestCase): "alias;", # RemovedInDjango70Warning: When the deprecation ends, add this: # "alias%", - # [] are used by MSSQL. + # [] and # are used by MSSQL. "alias[", "alias]", + "ali#as", ] # RemovedInDjango70Warning: When the deprecation ends, replace with: # msg = ( - # "Column aliases cannot contain whitespace characters, quotation " - # "marks, semicolons, percent signs, or SQL comments." + # "Column aliases cannot contain whitespace characters, hashes, " + # "quotation marks, semicolons, percent signs, or SQL comments." # ) msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) for crafted_alias in tests: with self.subTest(crafted_alias): @@ -1516,12 +1517,12 @@ class AliasTests(TestCase): crafted_alias = """injected_name" from "annotations_book"; --""" # RemovedInDjango70Warning: When the deprecation ends, replace with: # msg = ( - # "Column aliases cannot contain whitespace characters, quotation " - # "marks, semicolons, percent signs, or SQL comments." + # "Column aliases cannot contain whitespace characters, hashes, " + # "quotation marks, semicolons, percent signs, or SQL comments." # ) msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: Value(1)}) @@ -1530,12 +1531,12 @@ class AliasTests(TestCase): crafted_alias = """injected_name" from "annotations_book"; --""" # RemovedInDjango70Warning: When the deprecation ends, replace with: # msg = ( - # "Column aliases cannot contain whitespace characters, quotation " - # "marks, semicolons, percent signs, or SQL comments." + # "Column aliases cannot contain whitespace characters, hashes, " + # "quotation marks, semicolons, percent signs, or SQL comments." # ) msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 70e9166655..24f22e8187 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -44,8 +44,8 @@ class ValuesExpressionsTests(TestCase): def test_values_expression_alias_sql_injection(self): crafted_alias = """injected_name" from "expressions_company"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) @@ -54,8 +54,8 @@ class ValuesExpressionsTests(TestCase): def test_values_expression_alias_sql_injection_json_field(self): crafted_alias = """injected_name" from "expressions_company"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): JSONFieldModel.objects.values(f"data__{crafted_alias}") diff --git a/tests/queries/tests.py b/tests/queries/tests.py index 4158a9a596..4ee4572719 100644 --- a/tests/queries/tests.py +++ b/tests/queries/tests.py @@ -1967,8 +1967,8 @@ class Queries5Tests(TestCase): def test_extra_select_alias_sql_injection(self): crafted_alias = """injected_name" from "queries_note"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Note.objects.extra(select={crafted_alias: "1"}) |