[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-10-10 15:29:11 +00:00 · 2025-09-10 09:53:52 +02:00 · 2025-09-10 09:53:52 +02:00 · 52fbae0a4d
commit 52fbae0a4d
parent 1794cbf961
8 changed files with 49 additions and 25 deletions
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@ -48,9 +48,9 @@ from django.utils.tree import Node
 __all__ = ["Query", "RawQuery"]
-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
 # SQL comments are forbidden in column aliases.
-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
 # Inspired from
 # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
@ -1208,8 +1208,8 @@ class Query(BaseExpression):
    def check_alias(self, alias):
        if FORBIDDEN_ALIAS_PATTERN.search(alias):
            raise ValueError(
-                "Column aliases cannot contain whitespace characters, quotation marks, "
+                "Column aliases cannot contain whitespace characters, hashes, "
-                "semicolons, or SQL comments."
+                "quotation marks, semicolons, or SQL comments."
            )
    def add_annotation(self, annotation, alias, select=True):
--- a/docs/releases/4.2.25.txt
+++ b/docs/releases/4.2.25.txt
@ -7,4 +7,11 @@ Django 4.2.25 release notes
 Django 4.2.25 fixes one security issue with severity "high" and one security
 issue with severity "low" in 4.2.24.
-...
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
 ======================================================================================================================================
 :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
 :meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
 to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
--- a/docs/releases/5.1.13.txt
+++ b/docs/releases/5.1.13.txt
@ -7,4 +7,11 @@ Django 5.1.13 release notes
 Django 5.1.13 fixes one security issue with severity "high" and one security
 issue with severity "low" in 5.1.12.
-...
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
 ======================================================================================================================================
 :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
 :meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
 to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
--- a/docs/releases/5.2.7.txt
+++ b/docs/releases/5.2.7.txt
@ -8,6 +8,15 @@ Django 5.2.7 fixes one security issue with severity "high", one security issue
 with severity "low", and one bug in 5.2.6. Also, the latest string translations
 from Transifex are incorporated.
 CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
 ======================================================================================================================================
 :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
 :meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
 to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
 Bugfixes
 ========
--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase):
    def test_alias_sql_injection(self):
        crafted_alias = """injected_name" from "aggregation_author"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Author.objects.aggregate(**{crafted_alias: Avg("age")})
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@ -1159,8 +1159,8 @@ class NonAggregateAnnotationTestCase(TestCase):
    def test_alias_sql_injection(self):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.annotate(**{crafted_alias: Value(1)})
@ -1168,8 +1168,8 @@ class NonAggregateAnnotationTestCase(TestCase):
    def test_alias_filtered_relation_sql_injection(self):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
@ -1186,13 +1186,14 @@ class NonAggregateAnnotationTestCase(TestCase):
            "ali/*as",
            "alias*/",
            "alias;",
-            # [] are used by MSSQL.
+            # [] and # are used by MSSQL.
            "alias[",
            "alias]",
            "ali#as",
        ]
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        for crafted_alias in tests:
            with self.subTest(crafted_alias):
@ -1492,8 +1493,8 @@ class AliasTests(TestCase):
    def test_alias_sql_injection(self):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.alias(**{crafted_alias: Value(1)})
@ -1501,8 +1502,8 @@ class AliasTests(TestCase):
    def test_alias_filtered_relation_sql_injection(self):
        crafted_alias = """injected_name" from "annotations_book"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
    def test_values_expression_alias_sql_injection(self):
        crafted_alias = """injected_name" from "expressions_company"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Company.objects.values(**{crafted_alias: F("ceo__salary")})
@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
    def test_values_expression_alias_sql_injection_json_field(self):
        crafted_alias = """injected_name" from "expressions_company"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            JSONFieldModel.objects.values(f"data__{crafted_alias}")
--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
@ -1961,8 +1961,8 @@ class Queries5Tests(TestCase):
    def test_extra_select_alias_sql_injection(self):
        crafted_alias = """injected_name" from "queries_note"; --"""
        msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "semicolons, or SQL comments."
+            "marks, semicolons, or SQL comments."
        )
        with self.assertRaisesMessage(ValueError, msg):
            Note.objects.extra(select={crafted_alias: "1"})