diff options
| author | Jake Howard <git@theorangeone.net> | 2025-08-13 13:13:42 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-09-03 13:10:58 +0200 |
| commit | 51711717098d3f469f795dfa6bc3758b24f69ef7 (patch) | |
| tree | 2d977f1069bc7840eda4061a4f54367c4cc8fe98 /tests/annotations | |
| parent | d044e25dc2106b94ebdedf0bfde9238be1a3765c (diff) | |
Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Diffstat (limited to 'tests/annotations')
| -rw-r--r-- | tests/annotations/tests.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 6cb59c7fe4..8091498908 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -14,6 +14,7 @@ from django.db.models import ( Exists, ExpressionWrapper, F, + FilteredRelation, FloatField, Func, IntegerField, @@ -1170,6 +1171,20 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + # RemovedInDjango70Warning: When the deprecation ends, replace with: + # msg = ( + # "Column aliases cannot contain whitespace characters, quotation " + # "marks, semicolons, percent signs, or SQL comments." + # ) + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) + def test_alias_forbidden_chars(self): tests = [ 'al"ias', @@ -1202,6 +1217,11 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate( + **{crafted_alias: FilteredRelation("authors")} + ) + def test_alias_containing_percent_sign_deprecation(self): msg = "Using percent signs in a column alias is deprecated." with self.assertRaisesMessage(RemovedInDjango70Warning, msg): @@ -1505,3 +1525,17 @@ class AliasTests(TestCase): ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: Value(1)}) + + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + # RemovedInDjango70Warning: When the deprecation ends, replace with: + # msg = ( + # "Column aliases cannot contain whitespace characters, quotation " + # "marks, semicolons, percent signs, or SQL comments." + # ) + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) |