From 51711717098d3f469f795dfa6bc3758b24f69ef7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 13 Aug 2025 13:13:42 +0100 Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. --- django/db/models/sql/query.py | 1 + docs/releases/4.2.24.txt | 7 +++++++ docs/releases/5.1.12.txt | 7 +++++++ docs/releases/5.2.6.txt | 7 +++++++ tests/annotations/tests.py | 34 ++++++++++++++++++++++++++++++++++ 5 files changed, 56 insertions(+) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index e3186c4919..f332d83946 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1720,6 +1720,7 @@ class Query(BaseExpression): return target_clause, needed_inner def add_filtered_relation(self, filtered_relation, alias): + self.check_alias(alias) filtered_relation.alias = alias relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( filtered_relation.relation_name diff --git a/docs/releases/4.2.24.txt b/docs/releases/4.2.24.txt index d6e198fb9c..e501483917 100644 --- a/docs/releases/4.2.24.txt +++ b/docs/releases/4.2.24.txt @@ -5,3 +5,10 @@ Django 4.2.24 release notes *September 3, 2025* Django 4.2.24 fixes a security issue with severity "high" in 4.2.23. + +CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases +============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases, +using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. diff --git a/docs/releases/5.1.12.txt b/docs/releases/5.1.12.txt index 351d888398..dbc7ba279f 100644 --- a/docs/releases/5.1.12.txt +++ b/docs/releases/5.1.12.txt @@ -5,3 +5,10 @@ Django 5.1.12 release notes *September 3, 2025* Django 5.1.12 fixes a security issue with severity "high" in 5.1.11. + +CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases +============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases, +using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. diff --git a/docs/releases/5.2.6.txt b/docs/releases/5.2.6.txt index 3a674b7411..a3eef1b1af 100644 --- a/docs/releases/5.2.6.txt +++ b/docs/releases/5.2.6.txt @@ -6,6 +6,13 @@ Django 5.2.6 release notes Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5. +CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases +============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases, +using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`. + Bugfixes ======== diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index 6cb59c7fe4..8091498908 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -14,6 +14,7 @@ from django.db.models import ( Exists, ExpressionWrapper, F, + FilteredRelation, FloatField, Func, IntegerField, @@ -1170,6 +1171,20 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + # RemovedInDjango70Warning: When the deprecation ends, replace with: + # msg = ( + # "Column aliases cannot contain whitespace characters, quotation " + # "marks, semicolons, percent signs, or SQL comments." + # ) + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) + def test_alias_forbidden_chars(self): tests = [ 'al"ias', @@ -1202,6 +1217,11 @@ class NonAggregateAnnotationTestCase(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.annotate(**{crafted_alias: Value(1)}) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate( + **{crafted_alias: FilteredRelation("authors")} + ) + def test_alias_containing_percent_sign_deprecation(self): msg = "Using percent signs in a column alias is deprecated." with self.assertRaisesMessage(RemovedInDjango70Warning, msg): @@ -1505,3 +1525,17 @@ class AliasTests(TestCase): ) with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: Value(1)}) + + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + # RemovedInDjango70Warning: When the deprecation ends, replace with: + # msg = ( + # "Column aliases cannot contain whitespace characters, quotation " + # "marks, semicolons, percent signs, or SQL comments." + # ) + msg = ( + "Column aliases cannot contain whitespace characters, quotation marks, " + "semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})