[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f. Backport of 41b43c74bd from main.
2025-10-26 07:06:08 +00:00 · 2025-09-10 09:53:52 +02:00
parent ee0610673b
commit 4ceaaee7e0
8 changed files with 64 additions and 39 deletions
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -1161,12 +1161,12 @@ class NonAggregateAnnotationTestCase(TestCase):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        # RemovedInDjango70Warning: When the deprecation ends, replace with:
        # msg = (
-        #    "Column aliases cannot contain whitespace characters, quotation "
-        #    "marks, semicolons, percent signs, or SQL comments."
+        #    "Column aliases cannot contain whitespace characters, hashes, "
+        #    "quotation marks, semicolons, percent signs, or SQL comments."
        # )
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.annotate(**{crafted_alias: Value(1)})
@@ -1175,12 +1175,12 @@ class NonAggregateAnnotationTestCase(TestCase):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        # RemovedInDjango70Warning: When the deprecation ends, replace with:
        # msg = (
-        #    "Column aliases cannot contain whitespace characters, quotation "
-        #    "marks, semicolons, percent signs, or SQL comments."
+        #    "Column aliases cannot contain whitespace characters, hashes, "
+        #    "quotation marks, semicolons, percent signs, or SQL comments."
        # )
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
@@ -1199,18 +1199,19 @@ class NonAggregateAnnotationTestCase(TestCase):
            "alias;",
            # RemovedInDjango70Warning: When the deprecation ends, add this:
            # "alias%",
-            # [] are used by MSSQL.
+            # [] and # are used by MSSQL.
            "alias[",
            "alias]",
+            "ali#as",
        ]
        # RemovedInDjango70Warning: When the deprecation ends, replace with:
        # msg = (
-        #    "Column aliases cannot contain whitespace characters, quotation "
-        #    "marks, semicolons, percent signs, or SQL comments."
+        #    "Column aliases cannot contain whitespace characters, hashes, "
+        #    "quotation marks, semicolons, percent signs, or SQL comments."
        # )
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
        )
        for crafted_alias in tests:
            with self.subTest(crafted_alias):
@@ -1516,12 +1517,12 @@ class AliasTests(TestCase):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        # RemovedInDjango70Warning: When the deprecation ends, replace with:
        # msg = (
-        #    "Column aliases cannot contain whitespace characters, quotation "
-        #    "marks, semicolons, percent signs, or SQL comments."
+        #    "Column aliases cannot contain whitespace characters, hashes, "
+        #    "quotation marks, semicolons, percent signs, or SQL comments."
        # )
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.alias(**{crafted_alias: Value(1)})
@@ -1530,12 +1531,12 @@ class AliasTests(TestCase):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        # RemovedInDjango70Warning: When the deprecation ends, replace with:
        # msg = (
-        #    "Column aliases cannot contain whitespace characters, quotation "
-        #    "marks, semicolons, percent signs, or SQL comments."
+        #    "Column aliases cannot contain whitespace characters, hashes, "
+        #    "quotation marks, semicolons, percent signs, or SQL comments."
        # )
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})