Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
2025-09-26 12:09:19 +00:00 · 2022-04-01 08:10:22 +02:00 · 2022-04-01 08:10:22 +02:00 · 93cae5cb2f
commit 93cae5cb2f
parent 62739b6e26
8 changed files with 108 additions and 0 deletions
--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
@ -1898,6 +1898,15 @@ class Queries5Tests(TestCase):
            Note.objects.extra(select={"foo": "'bar %%s'"})[0].foo, "bar %s"
        )

+    def test_extra_select_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "queries_note"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Note.objects.extra(select={crafted_alias: "1"})
+
    def test_queryset_reuse(self):
        # Using querysets doesn't mutate aliases.
        authors = Author.objects.filter(Q(name="a1") | Q(name="nonexistent"))