From 2c09e68ec911919360d5f8502cefc312f9e03c5d Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Fri, 1 Apr 2022 08:10:22 +0200
Subject: [2.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(),
 aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
---
 django/db/models/sql/query.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'django/db/models/sql/query.py')

diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index b99f0e90ef..412e817f10 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -8,6 +8,7 @@ all about the internals of models in order to get the information it needs.
 """
 import difflib
 import functools
+import re
 from collections import Counter, OrderedDict, namedtuple
 from collections.abc import Iterator, Mapping
 from itertools import chain, count, product
@@ -40,6 +41,10 @@ from django.utils.tree import Node
 
 __all__ = ['Query', 'RawQuery']
 
+# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# SQL comments are forbidden in column aliases.
+FORBIDDEN_ALIAS_PATTERN = re.compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+
 
 def get_field_names_from_opts(opts):
     return set(chain.from_iterable(
@@ -994,8 +999,16 @@ class Query:
             alias = seen[int_model] = join_info.joins[-1]
         return alias or seen[None]
 
+    def check_alias(self, alias):
+        if FORBIDDEN_ALIAS_PATTERN.search(alias):
+            raise ValueError(
+                "Column aliases cannot contain whitespace characters, quotation marks, "
+                "semicolons, or SQL comments."
+            )
+
     def add_annotation(self, annotation, alias, is_summary=False):
         """Add a single annotation expression to the Query."""
+        self.check_alias(alias)
         annotation = annotation.resolve_expression(self, allow_joins=True, reuse=None,
                                                    summarize=is_summary)
         self.append_annotation_mask([alias])
@@ -1873,6 +1886,7 @@ class Query:
             else:
                 param_iter = iter([])
             for name, entry in select.items():
+                self.check_alias(name)
                 entry = str(entry)
                 entry_params = []
                 pos = entry.find("%s")
-- 
cgit v1.3