Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-17 17:09:54 -0500
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-12-02 09:21:07 -0300
commit: 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree: eb7a0093990c453a453a178f67e3302da24df188 /tests/annotations/tests.py
parent: cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
index a114480d48..10cd05db63 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -1541,6 +1541,17 @@ class AliasTests(TestCase):
         with self.assertRaisesMessage(ValueError, msg):
             Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
 
+    def test_alias_filtered_relation_sql_injection_dollar_sign(self):
+        qs = Book.objects.alias(
+            **{"crafted_alia$": FilteredRelation("authors")}
+        ).values("name", "crafted_alia$")
+        if connection.vendor == "postgresql":
+            msg = "Dollar signs are not permitted in column aliases on PostgreSQL."
+            with self.assertRaisesMessage(ValueError, msg):
+                list(qs)
+        else:
+            self.assertEqual(qs.first()["name"], self.b1.name)
+
     def test_values_wrong_alias(self):
         expected_message = (
             "Cannot resolve keyword 'alias_typo' into field. Choices are: %s"
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-17 17:09:54 -0500
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-12-02 09:21:07 -0300
commit	5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree	eb7a0093990c453a453a178f67e3302da24df188 /tests/annotations/tests.py
parent	cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)