From 31334e6965ad136a5e369993b01721499c5d1a92 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 13 Aug 2025 14:13:42 +0200 Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. CVE: CVE-2025-57833 Upstream-Status: Backport https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Jake Howard Signed-off-by: Saravanan %% original patch: CVE-2025-57833.patch --- django/db/models/sql/query.py | 1 + docs/releases/2.2.28.txt | 7 +++++++ tests/annotations/tests.py | 18 ++++++++++++++++-- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 9b054bd..96a6f5f 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1369,6 +1369,7 @@ class Query: return target_clause def add_filtered_relation(self, filtered_relation, alias): + self.check_alias(alias) filtered_relation.alias = alias lookups = dict(get_children_from_q(filtered_relation.condition)) for lookup in chain((filtered_relation.relation_name,), lookups): diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt index 0e092f0..f3fb298 100644 --- a/docs/releases/2.2.28.txt +++ b/docs/releases/2.2.28.txt @@ -117,3 +117,10 @@ which has now been updated to define a ``max_length`` of 39 characters. The :class:`django.db.models.GenericIPAddressField` model field was not affected. +CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases +============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases, +using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. + diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 27cd7eb..cdffb07 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -3,8 +3,8 @@ from decimal import Decimal from django.core.exceptions import FieldDoesNotExist, FieldError from django.db.models import ( - BooleanField, CharField, Count, DateTimeField, ExpressionWrapper, F, Func, - IntegerField, NullBooleanField, OuterRef, Q, Subquery, Sum, Value, + BooleanField, CharField, Count, DateTimeField, ExpressionWrapper, F, FilteredRelation, + Func, IntegerField, NullBooleanField, OuterRef, Q, Subquery, Sum, Value, ) from django.db.models.expressions import RawSQL from django.db.models.functions import Length, Lower @@ -608,6 +608,15 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) + def test_alias_forbidden_chars(self): tests = [ 'al"ias', @@ -632,3 +641,8 @@ class NonAggregateAnnotationTestCase(TestCase): with self.subTest(crafted_alias): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate( + **{crafted_alias: FilteredRelation("authors")} + ) -- 2.40.0