diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 08:10:22 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:33 +0200 |
| commit | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (patch) | |
| tree | e5ea1e69aa37a0ce632480095229fe5afaa47b2f /django/db/models/sql/query.py | |
| parent | 62739b6e2630e37faa68a86a59fad135cc788cd7 (diff) | |
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Diffstat (limited to 'django/db/models/sql/query.py')
| -rw-r--r-- | django/db/models/sql/query.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index c07a4b342a..894aa7db4a 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -40,10 +40,15 @@ from django.db.models.sql.constants import INNER, LOUTER, ORDER_DIR, SINGLE from django.db.models.sql.datastructures import BaseTable, Empty, Join, MultiJoin from django.db.models.sql.where import AND, OR, ExtraWhere, NothingNode, WhereNode from django.utils.functional import cached_property +from django.utils.regex_helper import _lazy_re_compile from django.utils.tree import Node __all__ = ["Query", "RawQuery"] +# Quotation marks ('"`[]), whitespace characters, semicolons, or inline +# SQL comments are forbidden in column aliases. +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") + def get_field_names_from_opts(opts): if opts is None: @@ -1091,8 +1096,16 @@ class Query(BaseExpression): alias = seen[int_model] = join_info.joins[-1] return alias or seen[None] + def check_alias(self, alias): + if FORBIDDEN_ALIAS_PATTERN.search(alias): + raise ValueError( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + def add_annotation(self, annotation, alias, is_summary=False, select=True): """Add a single annotation expression to the Query.""" + self.check_alias(alias) annotation = annotation.resolve_expression( self, allow_joins=True, reuse=None, summarize=is_summary ) @@ -2269,6 +2282,7 @@ class Query(BaseExpression): else: param_iter = iter([]) for name, entry in select.items(): + self.check_alias(name) entry = str(entry) entry_params = [] pos = entry.find("%s") |