Skip to content

Validate string collection filters to prevent SQL injection #40435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Naveed8951 wants to merge 1 commit into
base: 2.4-develop
Choose a base branch
from
Open

Validate string collection filters to prevent SQL injection #40435

Naveed8951 wants to merge 1 commit into from

Conversation

@Naveed8951
Copy link

@Naveed8951 Naveed8951 commented Jan 11, 2026
edited by m2-assistant bot
Loading

Harden collection string filters against SQL injection

Summary

This PR addresses a SQL injection risk in Magento’s collection filtering
system related to the 'string' filter type.

The collection API allows raw SQL fragments to be passed when using
addFilter(..., 'string'). These fragments were previously applied
directly to the query without validation, relying entirely on developer
discipline to ensure proper escaping.

While Magento core uses this API safely, the design created a dangerous
footgun for custom and third-party code.

Root Cause

The 'string' filter type accepts arbitrary SQL fragments and passes
them directly to the database layer via $select->where() with no
validation or enforcement.

This makes it easy for unsafe code paths to introduce SQL injection if
user-controlled input is passed without proper escaping.

Fix

This change introduces validation for 'string' filters before they are
applied to the query:

  • Unsafe SQL patterns are rejected with a clear exception
  • Properly escaped SQL fragments (e.g. generated via quoteInto())
    continue to work unchanged
  • No behavior change for existing safe Magento core code

Files updated:

  • Magento/Framework/Data/Collection/AbstractDb.php
  • Magento/Framework/Data/Collection/SqlInjectionValidator.php (new)

Security Impact

  • Prevents SQL injection through unsafe use of collection string filters
  • Hardens the framework against vulnerable third-party extensions
  • Enforces secure-by-default behavior at the framework level
  • Provides defense-in-depth without breaking existing safe usage

Compatibility

  • Fully backward compatible for correct implementations
  • Magento core code unaffected
  • Only unsafe usage patterns are blocked
  • Clear error messaging guides developers to safer APIs

Resolved issues:

  1. resolves [Issue] Validate string collection filters to prevent SQL injection #40437: Validate string collection filters to prevent SQL injection

@Naveed8951
Validate string collection filters to prevent SQL injection
fcda18d 
The collection filter API allowed raw SQL fragments to be passed via
the 'string' filter type without validation. This created a latent SQL
injection risk, particularly in third-party or custom code paths using
unescaped user input.

This change adds validation for 'string' filters and enforces that only
pre-escaped SQL fragments are accepted, blocking unsafe patterns while
preserving backward compatibility for existing safe usages.
@m2-assistant
Copy link

m2-assistant bot commented Jan 11, 2026

Hi @Naveed8951. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Jan 11, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@engcom-Hotel
Copy link
Contributor

engcom-Hotel commented Jan 13, 2026

@magento create issue

@m2-assistant m2-assistant bot mentioned this pull request Jan 13, 2026
Open
@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Jan 13, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@engcom-Hotel engcom-Hotel added Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it Priority: P2 A defect with this priority could have functionality issues which are not to expectations. labels Jan 13, 2026
@github-project-automation github-project-automation bot moved this to Pending Review in Pull Requests Dashboard Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: pending review Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it

Projects

Pull Requests Dashboard
Status: Pending Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Issue] Validate string collection filters to prevent SQL injection

2 participants

@Naveed8951 @engcom-Hotel