diff options
| author | Tim Graham <timograham@gmail.com> | 2025-12-03 18:06:53 -0500 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-12-04 11:37:22 -0500 |
| commit | 17d644c8e257c2ea5cc738fb7a9c47989e29bf09 (patch) | |
| tree | 8cd96b4668e5334dc11a056b3c293e8e8579df45 /django/db | |
| parent | 26b0e2bb92caf2d16cabe455792350f20d6f42ca (diff) | |
Added DatabaseFeatures.prohibits_dollar_signs_in_column_aliases.
This is also applicable on CockroachDB.
Diffstat (limited to 'django/db')
| -rw-r--r-- | django/db/backends/base/features.py | 4 | ||||
| -rw-r--r-- | django/db/backends/postgresql/compiler.py | 11 | ||||
| -rw-r--r-- | django/db/backends/postgresql/features.py | 1 | ||||
| -rw-r--r-- | django/db/models/sql/compiler.py | 8 |
4 files changed, 14 insertions, 10 deletions
diff --git a/django/db/backends/base/features.py b/django/db/backends/base/features.py index 1e957d105e..38af239cbe 100644 --- a/django/db/backends/base/features.py +++ b/django/db/backends/base/features.py @@ -415,6 +415,10 @@ class BaseDatabaseFeatures: # Does the Round() database function round to even? rounds_to_even = False + # Should dollar signs be prohibited in column aliases to prevent SQL + # injection? + prohibits_dollar_signs_in_column_aliases = False + # A set of dotted paths to tests in Django's test suite that are expected # to fail on this database. django_test_expected_failures = set() diff --git a/django/db/backends/postgresql/compiler.py b/django/db/backends/postgresql/compiler.py index 08d78e333a..48d0ccfd9d 100644 --- a/django/db/backends/postgresql/compiler.py +++ b/django/db/backends/postgresql/compiler.py @@ -1,6 +1,6 @@ from django.db.models.sql.compiler import ( # isort:skip SQLAggregateCompiler, - SQLCompiler as BaseSQLCompiler, + SQLCompiler, SQLDeleteCompiler, SQLInsertCompiler as BaseSQLInsertCompiler, SQLUpdateCompiler, @@ -25,15 +25,6 @@ class InsertUnnest(list): return "UNNEST(%s)" % ", ".join(self) -class SQLCompiler(BaseSQLCompiler): - def quote_name_unless_alias(self, name): - if "$" in name: - raise ValueError( - "Dollar signs are not permitted in column aliases on PostgreSQL." - ) - return super().quote_name_unless_alias(name) - - class SQLInsertCompiler(BaseSQLInsertCompiler): def assemble_as_sql(self, fields, value_rows): # Specialize bulk-insertion of literal values through UNNEST to diff --git a/django/db/backends/postgresql/features.py b/django/db/backends/postgresql/features.py index 5e4ed320be..30d06c95c5 100644 --- a/django/db/backends/postgresql/features.py +++ b/django/db/backends/postgresql/features.py @@ -70,6 +70,7 @@ class DatabaseFeatures(BaseDatabaseFeatures): supports_nulls_distinct_unique_constraints = True supports_no_precision_decimalfield = True can_rename_index = True + prohibits_dollar_signs_in_column_aliases = True test_collations = { "deterministic": "C", "non_default": "sv-x-icu", diff --git a/django/db/models/sql/compiler.py b/django/db/models/sql/compiler.py index 20f06ad168..9068d87a89 100644 --- a/django/db/models/sql/compiler.py +++ b/django/db/models/sql/compiler.py @@ -553,6 +553,14 @@ class SQLCompiler: for table names. This avoids problems with some SQL dialects that treat quoted strings specially (e.g. PostgreSQL). """ + if ( + self.connection.features.prohibits_dollar_signs_in_column_aliases + and "$" in name + ): + raise ValueError( + "Dollar signs are not permitted in column aliases on " + f"{self.connection.display_name}." + ) if name in self.quote_cache: return self.quote_cache[name] if ( |