diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-21 11:14:48 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 08:25:58 -0500 |
| commit | f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d (patch) | |
| tree | 66d10b9f7d41e416559b74d9b59f83d787b6cbcb /tests/aggregation/tests.py | |
| parent | b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 (diff) | |
[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
Diffstat (limited to 'tests/aggregation/tests.py')
| -rw-r--r-- | tests/aggregation/tests.py | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index 277c0507f7..abd43fc210 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2,6 +2,7 @@ import datetime import math import re from decimal import Decimal +from itertools import chain from django.core.exceptions import FieldError from django.db import connection @@ -2088,13 +2089,18 @@ class AggregateTestCase(TestCase): self.assertEqual(len(qs), 6) def test_alias_sql_injection(self): - crafted_alias = """injected_name" from "aggregation_author"; --""" msg = ( - "Column aliases cannot contain whitespace characters, hashes, quotation " - "marks, semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, " + "control characters, quotation marks, semicolons, or SQL comments." ) - with self.assertRaisesMessage(ValueError, msg): - Author.objects.aggregate(**{crafted_alias: Avg("age")}) + for crafted_alias in [ + """injected_name" from "aggregation_author"; --""", + # Control characters. + *(f"name{chr(c)}" for c in chain(range(32), range(0x7F, 0xA0))), + ]: + with self.subTest(crafted_alias): + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) def test_exists_extra_where_with_aggregate(self): qs = Book.objects.annotate( |