From 52fbae0a4dbbe5faa59827f8f05694a0065cc135 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Wed, 10 Sep 2025 09:53:52 +0200 Subject: [5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. --- tests/aggregation/tests.py | 4 ++-- tests/annotations/tests.py | 23 ++++++++++++----------- tests/expressions/test_queryset_values.py | 8 ++++---- tests/queries/tests.py | 4 ++-- 4 files changed, 20 insertions(+), 19 deletions(-) (limited to 'tests') diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index bf44c4d25f..2e41f19947 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "aggregation_author"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Author.objects.aggregate(**{crafted_alias: Avg("age")}) diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 060d6324c7..7a12121224 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -1159,8 +1159,8 @@ class NonAggregateAnnotationTestCase(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "annotations_book"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) @@ -1168,8 +1168,8 @@ class NonAggregateAnnotationTestCase(TestCase): def test_alias_filtered_relation_sql_injection(self): crafted_alias = """injected_name" from "annotations_book"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) @@ -1186,13 +1186,14 @@ class NonAggregateAnnotationTestCase(TestCase): "ali/*as", "alias*/", "alias;", - # [] are used by MSSQL. + # [] and # are used by MSSQL. "alias[", "alias]", + "ali#as", ] msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) for crafted_alias in tests: with self.subTest(crafted_alias): @@ -1492,8 +1493,8 @@ class AliasTests(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "annotations_book"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: Value(1)}) @@ -1501,8 +1502,8 @@ class AliasTests(TestCase): def test_alias_filtered_relation_sql_injection(self): crafted_alias = """injected_name" from "annotations_book"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py index 47bd1358de..080ee06183 100644 --- a/tests/expressions/test_queryset_values.py +++ b/tests/expressions/test_queryset_values.py @@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase): def test_values_expression_alias_sql_injection(self): crafted_alias = """injected_name" from "expressions_company"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Company.objects.values(**{crafted_alias: F("ceo__salary")}) @@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase): def test_values_expression_alias_sql_injection_json_field(self): crafted_alias = """injected_name" from "expressions_company"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): JSONFieldModel.objects.values(f"data__{crafted_alias}") diff --git a/tests/queries/tests.py b/tests/queries/tests.py index 38b0a5ddfa..ffaabf48a0 100644 --- a/tests/queries/tests.py +++ b/tests/queries/tests.py @@ -1961,8 +1961,8 @@ class Queries5Tests(TestCase): def test_extra_select_alias_sql_injection(self): crafted_alias = """injected_name" from "queries_note"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Note.objects.extra(select={crafted_alias: "1"}) -- cgit v1.3