File CVE-2022-28346.patch of Package python-Django

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-28346.patch of Package python-Django

From 2c09e68ec911919360d5f8502cefc312f9e03c5d Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Fri, 1 Apr 2022 08:10:22 +0200
Subject: [PATCH] [2.2.x] Fixed CVE-2022-28346 -- Protected
 QuerySet.annotate(), aggregate(), and extra() against SQL injection in column
 aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
---
 django/db/models/sql/query.py             | 14 ++++++++++
 docs/releases/2.2.28.txt                  |  8 ++++++
 tests/aggregation/tests.py                |  9 ++++++
 tests/annotations/tests.py                | 34 +++++++++++++++++++++++
 tests/expressions/test_queryset_values.py |  9 ++++++
 tests/queries/tests.py                    |  9 ++++++
 6 files changed, 83 insertions(+)

diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index b99f0e90efad..412e817f107e 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -8,6 +8,7 @@
 """
 import copy
 import warnings
+import re
 from collections import Counter, Iterator, Mapping, OrderedDict
 from itertools import chain, count, product
 from string import ascii_uppercase
@@ -38,6 +49,10 @@
 
 __all__ = ['Query', 'RawQuery']
 
+# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# SQL comments are forbidden in column aliases.
+FORBIDDEN_ALIAS_PATTERN = re.compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+
 
 def get_field_names_from_opts(opts):
     return set(chain.from_iterable(
@@ -965,10 +970,18 @@ def join_parent_model(self, opts, model, alias, seen):
             alias = seen[int_model] = joins[-1]
         return alias or seen[None]
 
+    def check_alias(self, alias):
+        if FORBIDDEN_ALIAS_PATTERN.search(alias):
+            raise ValueError(
+                "Column aliases cannot contain whitespace characters, quotation marks, "
+                "semicolons, or SQL comments."
+            )
+
     def add_annotation(self, annotation, alias, is_summary=False):
         """
         Adds a single annotation expression to the Query
         """
+        self.check_alias(alias)
         annotation = annotation.resolve_expression(self, allow_joins=True, reuse=None,
                                                    summarize=is_summary)
         self.append_annotation_mask([alias])
@@ -1744,6 +1757,7 @@ def add_extra(self, select, select_params, where, params, tables, order_by):
             else:
                 param_iter = iter([])
             for name, entry in select.items():
+                self.check_alias(name)
                 entry = force_text(entry)
                 entry_params = []
                 pos = entry.find("%s")
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
index 3820496c9fd5..501a18700baf 100644
--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
@@ -1188,3 +1188,12 @@ def test_arguments_must_be_expressions(self):
         ).filter(rating_or_num_awards__gt=F('num_awards')).order_by('num_awards')
         self.assertQuerysetEqual(
             qs2, [1, 3], lambda v: v.num_awards)
+
+    def test_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "aggregation_author"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Author.objects.aggregate(**{crafted_alias: Avg("age")})
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
index 021f59d2d71d..27cd7ebfb826 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -505,3 +505,37 @@ def test_annotation_filter_with_subquery(self):
             self.assertIs(book.is_book, True)
             self.assertIs(book.is_pony, False)
             self.assertIsNone(book.is_none)
+
+    def test_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "annotations_book"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Book.objects.annotate(**{crafted_alias: Value(1)})
+
+    def test_alias_forbidden_chars(self):
+        tests = [
+            'al"ias',
+            "a'lias",
+            "ali`as",
+            "alia s",
+            "alias\t",
+            "ali\nas",
+            "alias--",
+            "ali/*as",
+            "alias*/",
+            "alias;",
+            # [] are used by MSSQL.
+            "alias[",
+            "alias]",
+        ]
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        for crafted_alias in tests:
+            with self.subTest(crafted_alias):
+                with self.assertRaisesMessage(ValueError, msg):
+                    Book.objects.annotate(**{crafted_alias: Value(1)})
diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
index e26459796807..0804531869d9 100644
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@@ -29,6 +29,15 @@ def test_values_expression(self):
             [{'salary': 10}, {'salary': 20}, {'salary': 30}],
         )
 
+    def test_values_expression_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "expressions_company"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Company.objects.values(**{crafted_alias: F("ceo__salary")})
+
     def test_values_expression_group_by(self):
         # values() applies annotate() first, so values selected are grouped by
         # id, not firstname.
diff --git a/tests/queries/tests.py b/tests/queries/tests.py
index e72ecaa654c8..99ab57f4fc2e 100644
--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
@@ -1716,6 +1716,15 @@ def test_extra_select_literal_percent_s(self):
             'bar %s'
         )
 
+    def test_extra_select_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "queries_note"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Note.objects.extra(select={crafted_alias: "1"})
+
 
 class SelectRelatedTests(TestCase):
     def test_tickets_3045_3288(self):

Places

File CVE-2022-28346.patch of Package python-Django

Places