mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-09-17 14:39:17 +00:00
Code Issues 32 Releases Wiki Activity

[5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.

Browse Source 
Thanks Eyal Gabay (EyalSec) for the report.

Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
This commit is contained in:
Jake Howard 2025-08-13 14:13:42 +02:00 committed by Sarah Boyce
parent 44cd014a0a
commit 102965ea93
4 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
django/db/models/sql/query.py
View File

@ -1659,6 +1659,7 @@ class Query(BaseExpression):
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name

7
docs/releases/4.2.24.txt
View File

@ -5,3 +5,10 @@ Django 4.2.24 release notes
*September 3, 2025*
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

7
docs/releases/5.1.12.txt
View File

@ -5,3 +5,10 @@ Django 5.1.12 release notes
*September 3, 2025*
Django 5.1.12 fixes a security issue with severity "high" in 5.1.11.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

24
tests/annotations/tests.py
View File

@ -12,6 +12,7 @@ from django.db.models import (
Exists,
ExpressionWrapper,
F,
FilteredRelation,
FloatField,
Func,
IntegerField,
@ -1132,6 +1133,15 @@ class NonAggregateAnnotationTestCase(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
def test_alias_forbidden_chars(self):
tests = [
'al"ias',
@ -1157,6 +1167,11 @@ class NonAggregateAnnotationTestCase(TestCase):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(
**{crafted_alias: FilteredRelation("authors")}
)
class AliasTests(TestCase):
@classmethod
@ -1429,3 +1444,12 @@ class AliasTests(TestCase):
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)})
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})