From 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Mon, 17 Nov 2025 17:09:54 -0500 Subject: Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. --- tests/annotations/tests.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'tests/annotations') diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py index a114480d48..10cd05db63 100644 --- a/tests/annotations/tests.py +++ b/tests/annotations/tests.py @@ -1541,6 +1541,17 @@ class AliasTests(TestCase): with self.assertRaisesMessage(ValueError, msg): Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) + def test_alias_filtered_relation_sql_injection_dollar_sign(self): + qs = Book.objects.alias( + **{"crafted_alia$": FilteredRelation("authors")} + ).values("name", "crafted_alia$") + if connection.vendor == "postgresql": + msg = "Dollar signs are not permitted in column aliases on PostgreSQL." + with self.assertRaisesMessage(ValueError, msg): + list(qs) + else: + self.assertEqual(qs.first()["name"], self.b1.name) + def test_values_wrong_alias(self): expected_message = ( "Cannot resolve keyword 'alias_typo' into field. Choices are: %s" -- cgit v1.3