diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-21 11:14:48 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 07:55:04 -0500 |
| commit | e891a84c7ef9962bfcc3b4685690219542f86a22 (patch) | |
| tree | 15e63282d7b0470f3e31b91c5ecb87a238f508a2 /tests/queries | |
| parent | a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 (diff) | |
Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Diffstat (limited to 'tests/queries')
| -rw-r--r-- | tests/queries/tests.py | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/tests/queries/tests.py b/tests/queries/tests.py index 51d1915c97..74929e4944 100644 --- a/tests/queries/tests.py +++ b/tests/queries/tests.py @@ -2,6 +2,7 @@ import datetime import pickle import sys import unittest +from itertools import chain from operator import attrgetter from django.core.exceptions import EmptyResultSet, FieldError, FullResultSet @@ -1965,13 +1966,18 @@ class Queries5Tests(TestCase): ) def test_extra_select_alias_sql_injection(self): - crafted_alias = """injected_name" from "queries_note"; --""" msg = ( - "Column aliases cannot contain whitespace characters, hashes, quotation " - "marks, semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, " + "control characters, quotation marks, semicolons, or SQL comments." ) - with self.assertRaisesMessage(ValueError, msg): - Note.objects.extra(select={crafted_alias: "1"}) + for crafted_alias in [ + """injected_name" from "queries_note"; --""", + # Control characters. + *(f"name{chr(c)}" for c in chain(range(32), range(0x7F, 0xA0))), + ]: + with self.subTest(crafted_alias): + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) def test_queryset_reuse(self): # Using querysets doesn't mutate aliases. |