From 479415ce5249bcdebeb6570c72df2a87f45a7bbf Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Mon, 17 Nov 2025 17:09:54 -0500
Subject: [5.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against
 SQL injection in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833.

Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak
for the reviews.

Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.
---
 tests/annotations/tests.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tests/annotations/tests.py')

diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
index 7a12121224..78e5408d0f 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -1507,3 +1507,14 @@ class AliasTests(TestCase):
         )
         with self.assertRaisesMessage(ValueError, msg):
             Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
+
+    def test_alias_filtered_relation_sql_injection_dollar_sign(self):
+        qs = Book.objects.alias(
+            **{"crafted_alia$": FilteredRelation("authors")}
+        ).values("name", "crafted_alia$")
+        if connection.vendor == "postgresql":
+            msg = "Dollar signs are not permitted in column aliases on PostgreSQL."
+            with self.assertRaisesMessage(ValueError, msg):
+                list(qs)
+        else:
+            self.assertEqual(qs.first()["name"], self.b1.name)
-- 
cgit v1.3