mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-09 14:59:24 +00:00
Code Issues 32 Releases Wiki Activity

[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.

Browse Source 
Thanks Eyal Gabay (EyalSec) for the report.

Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
This commit is contained in:
Jake Howard 2025-08-13 14:13:42 +02:00 committed by Sarah Boyce
parent e87ca3d6fa
commit 4c044fcc86
5 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
django/db/models/sql/query.py
View File

@ -1696,6 +1696,7 @@ class Query(BaseExpression):
return target_clause, needed_inner return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias): def add_filtered_relation(self, filtered_relation, alias):
self.check_alias(alias)
filtered_relation.alias = alias filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name filtered_relation.relation_name

7
docs/releases/4.2.24.txt
View File

@ -5,3 +5,10 @@ Django 4.2.24 release notes
*September 3, 2025* *September 3, 2025*
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23. Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

7
docs/releases/5.1.12.txt
View File

@ -5,3 +5,10 @@ Django 5.1.12 release notes
*September 3, 2025* *September 3, 2025*
Django 5.1.12 fixes a security issue with severity "high" in 5.1.11. Django 5.1.12 fixes a security issue with severity "high" in 5.1.11.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

7
docs/releases/5.2.6.txt
View File

@ -6,6 +6,13 @@ Django 5.2.6 release notes
Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5. Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
Bugfixes Bugfixes
======== ========

24
tests/annotations/tests.py
View File

@ -14,6 +14,7 @@ from django.db.models import (
Exists, Exists,
ExpressionWrapper, ExpressionWrapper,
F, F,
FilteredRelation,
FloatField, FloatField,
Func, Func,
IntegerField, IntegerField,
@ -1164,6 +1165,15 @@ class NonAggregateAnnotationTestCase(TestCase):
with self.assertRaisesMessage(ValueError, msg): with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)}) Book.objects.annotate(**{crafted_alias: Value(1)})
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
def test_alias_forbidden_chars(self): def test_alias_forbidden_chars(self):
tests = [ tests = [
'al"ias', 'al"ias',
@ -1189,6 +1199,11 @@ class NonAggregateAnnotationTestCase(TestCase):
with self.assertRaisesMessage(ValueError, msg): with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)}) Book.objects.annotate(**{crafted_alias: Value(1)})
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(
**{crafted_alias: FilteredRelation("authors")}
)
@skipUnless(connection.vendor == "postgresql", "PostgreSQL tests") @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
@skipUnlessDBFeature("supports_json_field") @skipUnlessDBFeature("supports_json_field")
def test_set_returning_functions(self): def test_set_returning_functions(self):
@ -1482,3 +1497,12 @@ class AliasTests(TestCase):
) )
with self.assertRaisesMessage(ValueError, msg): with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)}) Book.objects.alias(**{crafted_alias: Value(1)})
def test_alias_filtered_relation_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
"Column aliases cannot contain whitespace characters, quotation marks, "
"semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})