mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-09 14:59:24 +00:00
Code Issues 32 Releases Wiki Activity

[5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

Browse Source 
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.

Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
This commit is contained in:
Mariusz Felisiak 2025-09-10 09:53:52 +02:00 committed by Jacob Walls
parent cbe5042d85
commit 01d2d770e2
7 changed files with 40 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
django/db/models/sql/query.py
View File

@ -47,9 +47,9 @@ from django.utils.tree import Node
__all__ = ["Query", "RawQuery"]
# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
# SQL comments are forbidden in column aliases.
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
# Inspired from
# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
@ -1184,8 +1184,8 @@ class Query(BaseExpression):
def check_alias(self, alias):
if FORBIDDEN_ALIAS_PATTERN.search(alias):
raise ValueError(
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, "
"quotation marks, semicolons, or SQL comments."
)
def add_annotation(self, annotation, alias, select=True):

9
docs/releases/4.2.25.txt
View File

@ -7,4 +7,11 @@ Django 4.2.25 release notes
Django 4.2.25 fixes one security issue with severity "high" and one security
issue with severity "low" in 4.2.24.
...
CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).

9
docs/releases/5.1.13.txt
View File

@ -7,4 +7,11 @@ Django 5.1.13 release notes
Django 5.1.13 fixes one security issue with severity "high" and one security
issue with severity "low" in 5.1.12.
...
CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).

4
tests/aggregation/tests.py
View File

@ -2133,8 +2133,8 @@ class AggregateTestCase(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "aggregation_author"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Author.objects.aggregate(**{crafted_alias: Avg("age")})

23
tests/annotations/tests.py
View File

@ -1127,8 +1127,8 @@ class NonAggregateAnnotationTestCase(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
@ -1136,8 +1136,8 @@ class NonAggregateAnnotationTestCase(TestCase):
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
@ -1154,13 +1154,14 @@ class NonAggregateAnnotationTestCase(TestCase):
"ali/*as",
"alias*/",
"alias;",
# [] are used by MSSQL.
# [] and # are used by MSSQL.
"alias[",
"alias]",
"ali#as",
]
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
for crafted_alias in tests:
with self.subTest(crafted_alias):
@ -1439,8 +1440,8 @@ class AliasTests(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)})
@ -1448,8 +1449,8 @@ class AliasTests(TestCase):
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

8
tests/expressions/test_queryset_values.py
View File

@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
def test_values_expression_alias_sql_injection(self):
crafted_alias = """injected_name" from "expressions_company"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
def test_values_expression_alias_sql_injection_json_field(self):
crafted_alias = """injected_name" from "expressions_company"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
JSONFieldModel.objects.values(f"data__{crafted_alias}")

4
tests/queries/tests.py
View File

@ -1964,8 +1964,8 @@ class Queries5Tests(TestCase):
def test_extra_select_alias_sql_injection(self):
crafted_alias = """injected_name" from "queries_note"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
"Column aliases cannot contain whitespace characters, hashes, quotation "
"marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Note.objects.extra(select={crafted_alias: "1"})