티스토리 수익 글 보기

티스토리 수익 글 보기

[4.2.x] Fixed CVE-2025-57833 — Protected FilteredRelation against SQ… · django/django@31334e6 · GitHub
Skip to content

Commit 31334e6

Browse files
RealOrangeOnesarahboyce
RealOrangeOne
authored and
sarahboyce
committed
[4.2.x] Fixed CVE-2025-57833 — Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report. Backport of 5171171 from main.
1 parent d5860d5 commit 31334e6

File tree

3 files changed

+32
0
lines changed

3 files changed

+32
0
lines changed

django/db/models/sql/query.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1620,6 +1620,7 @@ def build_filtered_relation_q(
16201620
return target_clause
16211621

16221622
def add_filtered_relation(self, filtered_relation, alias):
1623+
self.check_alias(alias)
16231624
filtered_relation.alias = alias
16241625
lookups = dict(get_children_from_q(filtered_relation.condition))
16251626
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(

docs/releases/4.2.24.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@ Django 4.2.24 release notes
55
*September 3, 2025*
66

77
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
8+
9+
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
10+
==============================================================================
11+
12+
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
13+
using a suitably crafted dictionary, with dictionary expansion, as the
14+
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

tests/annotations/tests.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
Exists,
1313
ExpressionWrapper,
1414
F,
15+
FilteredRelation,
1516
FloatField,
1617
Func,
1718
IntegerField,
@@ -1121,6 +1122,15 @@ def test_alias_sql_injection(self):
11211122
with self.assertRaisesMessage(ValueError, msg):
11221123
Book.objects.annotate(**{crafted_alias: Value(1)})
11231124

1125+
def test_alias_filtered_relation_sql_injection(self):
1126+
crafted_alias = """injected_name" from "annotations_book"; --"""
1127+
msg = (
1128+
"Column aliases cannot contain whitespace characters, quotation marks, "
1129+
"semicolons, or SQL comments."
1130+
)
1131+
with self.assertRaisesMessage(ValueError, msg):
1132+
Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
1133+
11241134
def test_alias_forbidden_chars(self):
11251135
tests = [
11261136
'al"ias',
@@ -1146,6 +1156,11 @@ def test_alias_forbidden_chars(self):
11461156
with self.assertRaisesMessage(ValueError, msg):
11471157
Book.objects.annotate(**{crafted_alias: Value(1)})
11481158

1159+
with self.assertRaisesMessage(ValueError, msg):
1160+
Book.objects.annotate(
1161+
**{crafted_alias: FilteredRelation("authors")}
1162+
)
1163+
11491164

11501165
class AliasTests(TestCase):
11511166
@classmethod
@@ -1418,3 +1433,12 @@ def test_alias_sql_injection(self):
14181433
)
14191434
with self.assertRaisesMessage(ValueError, msg):
14201435
Book.objects.alias(**{crafted_alias: Value(1)})
1436+
1437+
def test_alias_filtered_relation_sql_injection(self):
1438+
crafted_alias = """injected_name" from "annotations_book"; --"""
1439+
msg = (
1440+
"Column aliases cannot contain whitespace characters, quotation marks, "
1441+
"semicolons, or SQL comments."
1442+
)
1443+
with self.assertRaisesMessage(ValueError, msg):
1444+
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

0 commit comments

Comments
 (0)