From 31334e6965ad136a5e369993b01721499c5d1a92 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 13 Aug 2025 14:13:42 +0200 Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. CVE: CVE-2025-57833 Upstream-Status: Backport https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Jake Howard Signed-off-by: Saravanan --- django/db/models/sql/query.py | 1 + docs/releases/3.2.25.txt | 7 +++++++ tests/annotations/tests.py | 25 ++++++++++++++++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 230b6fa..e56ff81 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1466,6 +1466,7 @@ class Query(BaseExpression): return target_clause def add_filtered_relation(self, filtered_relation, alias): + self.check_alias(alias) filtered_relation.alias = alias lookups = dict(get_children_from_q(filtered_relation.condition)) relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(filtered_relation.relation_name) diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt index 93ab341..a2a58b5 100644 --- a/docs/releases/3.2.25.txt +++ b/docs/releases/3.2.25.txt @@ -33,6 +33,13 @@ which has now been updated to define a ``max_length`` of 39 characters. The :class:`django.db.models.GenericIPAddressField` model field was not affected. +CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases +============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases, +using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. + Bugfixes ======== diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 8082c7a..00d4ee6 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -4,7 +4,7 @@ from decimal import Decimal from django.core.exceptions import FieldDoesNotExist, FieldError from django.db.models import ( BooleanField, Case, CharField, Count, DateTimeField, DecimalField, Exists, - ExpressionWrapper, F, FloatField, Func, IntegerField, Max, + ExpressionWrapper, F, FilteredRelation, FloatField, Func, IntegerField, Max, NullBooleanField, OuterRef, Q, Subquery, Sum, Value, When, ) from django.db.models.expressions import RawSQL @@ -775,6 +775,15 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) + def test_alias_forbidden_chars(self): tests = [ 'al"ias', @@ -800,6 +809,11 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate( + **{crafted_alias: FilteredRelation("authors")} + ) + class AliasTests(TestCase): @classmethod @@ -1039,3 +1053,12 @@ class AliasTests(TestCase): ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: Value(1)}) + + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) -- 2.40.0