File CVE-2022-28346.patch of Package python-Django.35578
From 2c09e68ec911919360d5f8502cefc312f9e03c5d Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Fri, 1 Apr 2022 08:10:22 +0200
Subject: [PATCH] [2.2.x] Fixed CVE-2022-28346 -- Protected
QuerySet.annotate(), aggregate(), and extra() against SQL injection in column
aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
---
django/db/models/sql/query.py | 14 ++++++++++
docs/releases/2.2.28.txt | 8 ++++++
tests/aggregation/tests.py | 9 ++++++
tests/annotations/tests.py | 34 +++++++++++++++++++++++
tests/expressions/test_queryset_values.py | 9 ++++++
tests/queries/tests.py | 9 ++++++
6 files changed, 83 insertions(+)
Index: Django-2.0.7/django/db/models/sql/query.py
===================================================================
--- Django-2.0.7.orig/django/db/models/sql/query.py
+++ Django-2.0.7/django/db/models/sql/query.py
@@ -6,6 +6,7 @@ themselves do not have to (and could be
databases). The abstraction barrier only works one way: this module has to know
all about the internals of models in order to get the information it needs.
"""
+import re
from collections import Counter, Iterator, Mapping, OrderedDict, namedtuple
from itertools import chain, count, product
from string import ascii_uppercase
@@ -37,6 +38,10 @@ from django.utils.tree import Node
__all__ = ['Query', 'RawQuery']
+# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# SQL comments are forbidden in column aliases.
+FORBIDDEN_ALIAS_PATTERN = re.compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+
def get_field_names_from_opts(opts):
return set(chain.from_iterable(
@@ -969,8 +974,16 @@ class Query:
alias = seen[int_model] = join_info.joins[-1]
return alias or seen[None]
+ def check_alias(self, alias):
+ if FORBIDDEN_ALIAS_PATTERN.search(alias):
+ raise ValueError(
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+
def add_annotation(self, annotation, alias, is_summary=False):
"""Add a single annotation expression to the Query."""
+ self.check_alias(alias)
annotation = annotation.resolve_expression(self, allow_joins=True, reuse=None,
summarize=is_summary)
self.append_annotation_mask([alias])
@@ -1788,6 +1801,7 @@ class Query:
else:
param_iter = iter([])
for name, entry in select.items():
+ self.check_alias(name)
entry = force_text(entry)
entry_params = []
pos = entry.find("%s")
Index: Django-2.0.7/tests/aggregation/tests.py
===================================================================
--- Django-2.0.7.orig/tests/aggregation/tests.py
+++ Django-2.0.7/tests/aggregation/tests.py
@@ -1202,3 +1202,12 @@ class AggregateTestCase(TestCase):
Book.objects.aggregate(is_book=True)
with self.assertRaisesMessage(TypeError, msg % ', '.join([str(FloatField()), 'True'])):
Book.objects.aggregate(FloatField(), Avg('price'), is_book=True)
+
+ def test_alias_sql_injection(self):
+ crafted_alias = """injected_name" from "aggregation_author"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Author.objects.aggregate(**{crafted_alias: Avg("age")})
Index: Django-2.0.7/tests/annotations/tests.py
===================================================================
--- Django-2.0.7.orig/tests/annotations/tests.py
+++ Django-2.0.7/tests/annotations/tests.py
@@ -533,3 +533,37 @@ class NonAggregateAnnotationTestCase(Tes
Book.objects.annotate(is_book=True)
with self.assertRaisesMessage(TypeError, msg % ', '.join([str(BooleanField()), 'True'])):
Book.objects.annotate(BooleanField(), Value(False), is_book=True)
+
+def test_alias_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(**{crafted_alias: Value(1)})
+
+ def test_alias_forbidden_chars(self):
+ tests = [
+ 'al"ias',
+ "a'lias",
+ "ali`as",
+ "alia s",
+ "alias\t",
+ "ali\nas",
+ "alias--",
+ "ali/*as",
+ "alias*/",
+ "alias;",
+ # [] are used by MSSQL.
+ "alias[",
+ "alias]",
+ ]
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ for crafted_alias in tests:
+ with self.subTest(crafted_alias):
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(**{crafted_alias: Value(1)})
Index: Django-2.0.7/tests/expressions/test_queryset_values.py
===================================================================
--- Django-2.0.7.orig/tests/expressions/test_queryset_values.py
+++ Django-2.0.7/tests/expressions/test_queryset_values.py
@@ -27,6 +27,15 @@ class ValuesExpressionsTests(TestCase):
[{'salary': 10}, {'salary': 20}, {'salary': 30}],
)
+ def test_values_expression_alias_sql_injection(self):
+ crafted_alias = """injected_name" from "expressions_company"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Company.objects.values(**{crafted_alias: F("ceo__salary")})
+
def test_values_expression_group_by(self):
# values() applies annotate() first, so values selected are grouped by
# id, not firstname.
Index: Django-2.0.7/tests/queries/tests.py
===================================================================
--- Django-2.0.7.orig/tests/queries/tests.py
+++ Django-2.0.7/tests/queries/tests.py
@@ -1710,6 +1710,15 @@ class Queries5Tests(TestCase):
'bar %s'
)
+ def test_extra_select_alias_sql_injection(self):
+ crafted_alias = """injected_name" from "queries_note"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Note.objects.extra(select={crafted_alias: "1"})
+
class SelectRelatedTests(TestCase):
def test_tickets_3045_3288(self):
