Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

tests/aggregation/tests.py

@@ -2048,6 +2048,15 @@ class AggregateTestCase(TestCase):
         )
         self.assertEqual(len(qs), 6)
 
+    def test_alias_sql_injection(self):
+        crafted_alias = """injected_name" from "aggregation_author"; --"""
+        msg = (
+            "Column aliases cannot contain whitespace characters, quotation marks, "
+            "semicolons, or SQL comments."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Author.objects.aggregate(**{crafted_alias: Avg("age")})
+
     def test_exists_extra_where_with_aggregate(self):
         qs = Book.objects.annotate(
             count=Count("id"),