Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 102965e

Browse files
RealOrangeOnesarahboyce
RealOrangeOne
authored and
sarahboyce
committed
[5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report. Backport of 5171171 from main.
1 parent 44cd014 commit 102965e

4 files changed

Lines changed: 39 additions & 0 deletions

File tree

django/db/models/sql/query.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1659,6 +1659,7 @@ def _add_q(
16591659
return target_clause, needed_inner
16601660

16611661
def add_filtered_relation(self, filtered_relation, alias):
1662+
self.check_alias(alias)
16621663
filtered_relation.alias = alias
16631664
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
16641665
filtered_relation.relation_name

docs/releases/4.2.24.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@ Django 4.2.24 release notes
55
*September 3, 2025*
66

77
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
8+
9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

docs/releases/5.1.12.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@ Django 5.1.12 release notes
55
*September 3, 2025*
66

77
Django 5.1.12 fixes a security issue with severity "high" in 5.1.11.
8+
9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

tests/annotations/tests.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
Exists,
1313
ExpressionWrapper,
1414
F,
15+
FilteredRelation,
1516
FloatField,
1617
Func,
1718
IntegerField,
@@ -1132,6 +1133,15 @@ def test_alias_sql_injection(self):
11321133
with self.assertRaisesMessage(ValueError, msg):
11331134
Book.objects.annotate(**{crafted_alias: Value(1)})
11341135

1136+
def test_alias_filtered_relation_sql_injection(self):
1137+
crafted_alias = """injected_name" from "annotations_book"; --"""
1138+
msg = (
1139+
"Column aliases cannot contain whitespace characters, quotation marks, "
1140+
"semicolons, or SQL comments."
1141+
)
1142+
with self.assertRaisesMessage(ValueError, msg):
1143+
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
1144+
11351145
def test_alias_forbidden_chars(self):
11361146
tests = [
11371147
'al"ias',
@@ -1157,6 +1167,11 @@ def test_alias_forbidden_chars(self):
11571167
with self.assertRaisesMessage(ValueError, msg):
11581168
Book.objects.annotate(**{crafted_alias: Value(1)})
11591169

1170+
with self.assertRaisesMessage(ValueError, msg):
1171+
Book.objects.annotate(
1172+
**{crafted_alias: FilteredRelation("authors")}
1173+
)
1174+
11601175

11611176
class AliasTests(TestCase):
11621177
@classmethod
@@ -1429,3 +1444,12 @@ def test_alias_sql_injection(self):
14291444
)
14301445
with self.assertRaisesMessage(ValueError, msg):
14311446
Book.objects.alias(**{crafted_alias: Value(1)})
1447+
1448+
def test_alias_filtered_relation_sql_injection(self):
1449+
crafted_alias = """injected_name" from "annotations_book"; --"""
1450+
msg = (
1451+
"Column aliases cannot contain whitespace characters, quotation marks, "
1452+
"semicolons, or SQL comments."
1453+
)
1454+
with self.assertRaisesMessage(ValueError, msg):
1455+
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

0 commit comments

Comments
 (0)