Validate string collection filters to prevent SQL injection

[Naveed8951]

Harden collection string filters against SQL injection

Summary

This PR addresses a SQL injection risk in Magento’s collection filtering
system related to the 'string' filter type.

The collection API allows raw SQL fragments to be passed when using
addFilter(..., 'string'). These fragments were previously applied
directly to the query without validation, relying entirely on developer
discipline to ensure proper escaping.

While Magento core uses this API safely, the design created a dangerous
footgun for custom and third-party code.

---

Root Cause

The 'string' filter type accepts arbitrary SQL fragments and passes
them directly to the database layer via $select->where() with no
validation or enforcement.

This makes it easy for unsafe code paths to introduce SQL injection if
user-controlled input is passed without proper escaping.

---

Fix

This change introduces validation for 'string' filters before they are
applied to the query:

• Unsafe SQL patterns are rejected with a clear exception
• Properly escaped SQL fragments (e.g. generated via quoteInto())
  continue to work unchanged
• No behavior change for existing safe Magento core code

Files updated:

• Magento/Framework/Data/Collection/AbstractDb.php
• Magento/Framework/Data/Collection/SqlInjectionValidator.php (new)

---

Security Impact

• Prevents SQL injection through unsafe use of collection string filters
• Hardens the framework against vulnerable third-party extensions
• Enforces secure-by-default behavior at the framework level
• Provides defense-in-depth without breaking existing safe usage

---

Compatibility

• Fully backward compatible for correct implementations
• Magento core code unaffected
• Only unsafe usage patterns are blocked
• Clear error messaging guides developers to safer APIs

Resolved issues:

1. resolves [Issue] Validate string collection filters to prevent SQL injection #40437: Validate string collection filters to prevent SQL injection

[m2-assistant]

Hi @Naveed8951. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email [email protected].

[engcom-Hotel]

@magento create issue

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email [email protected].