8000 [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQ… · django/django@4c044fc · GitHub
[go: up one dir, main page]
Skip to content

Commit 4c044fc

Browse files
RealOrangeOnesarahboyce
RealOrangeOne
authored and
sarahboyce
committed
[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report. Backport of 5171171 from main.
1 parent e87ca3d commit 4c044fc

File tree

5 files changed

+46
-0
lines changed

5 files changed

+46
-0
lines changed

django/db/models/sql/query.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1696,6 +1696,7 @@ def _add_q(
16961696
return target_clause, needed_inner
16971697

16981698
def add_filtered_relation(self, filtered_relation, alias):
1699+
self.check_alias(alias)
16991700
filtered_relation.alias = alias
17001701
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
17011702
filtered_relation.relation_name

docs/releases/4.2.24.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@ Django 4.2.24 release notes
55
*September 3, 2025*
66

77
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
8+
9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

docs/releases/5.1.12.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@ Django 5.1.12 release notes
55
*September 3, 2025*
66

77
Django 5.1.12 fixes a security issue with severity "high" in 5.1.11.
8+
9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

docs/releases/5.2.6.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,13 @@ Django 5.2.6 release notes
66

77
Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.
88

9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
15+
916
Bugfixes
1017
========
1118

tests/annotations/tests.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
Exists,
1515
ExpressionWrapper,
1616
F,
17+
FilteredRelation,
1718
FloatField,
1819
Func,
1920
IntegerField,
@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self):
11641165
with self.assertRaisesMessage(ValueError, msg):
11651166
Book.objects.annotate(**{crafted_alias: Value(1)})
11661167

1168+
def test_alias_filtered_relation_sql_injection(self):
1169+
crafted_alias = """injected_name" from "annotations_book"; --"""
1170+
msg = (
1171+
"Column aliases cannot contain whitespace characters, quotation marks, "
1172+
"semicolons, or SQL comments."
1173+
)
1174+
with self.assertRaisesMessage(ValueError, msg):
1175+
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
1176+
11671177
def test_alias_forbidden_chars(self):
11681178
tests = [
11691179
'al"ias',
@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self):
11891199
with self.assertRaisesMessage(ValueError, msg):
11901200
Book.objects.annotate(**{crafted_alias: Value(1)})
11911201

1202+
with self.assertRaisesMessage(ValueError, msg):
1203+
Book.objects.annotate(
1204+
**{crafted_alias: FilteredRelation("authors")}
1205+
)
1206+
11921207
@skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
11931208
@skipUnlessDBFeature("supports_json_field")
11941209
def test_set_returning_functions(self):
@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self):
14821497
)
14831498
with self.assertRaisesMessage(ValueError, msg):
14841499
Book.objects.alias(**{crafted_alias: Value(1)})
1500+
1501+
def test_alias_filtered_relation_sql_injection(self):
1502+
crafted_alias = """injected_name" from "annotations_book"; --"""
1503+
msg = (
1504+
"Column aliases cannot contain whitespace characters, quotation marks, "
1505+
"semicolons, or SQL comments."
1506+
)
1507+
with self.assertRaisesMessage(ValueError, msg):
1508+
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

0 commit comments

Comments
 (0)
0