[Issue] Validate string collection filters to prevent SQL injection #40437
Description
This issue is automatically created based on existing pull request: #40435: Validate string collection filters to prevent SQL injection
Harden collection string filters against SQL injection
Summary
This PR addresses a SQL injection risk in Magento’s collection filtering
system related to the 'string' filter type.
The collection API allows raw SQL fragments to be passed when using
addFilter(..., 'string'). These fragments were previously applied
directly to the query without validation, relying entirely on developer
discipline to ensure proper escaping.
While Magento core uses this API safely, the design created a dangerous
footgun for custom and third-party code.
Root Cause
The 'string' filter type accepts arbitrary SQL fragments and passes
them directly to the database layer via $select->where() with no
validation or enforcement.
This makes it easy for unsafe code paths to introduce SQL injection if
user-controlled input is passed without proper escaping.
Fix
This change introduces validation for 'string' filters before they are
applied to the query:
- Unsafe SQL patterns are rejected with a clear exception
- Properly escaped SQL fragments (e.g. generated via
quoteInto())
continue to work unchanged - No behavior change for existing safe Magento core code
Files updated:
Magento/Framework/Data/Collection/AbstractDb.phpMagento/Framework/Data/Collection/SqlInjectionValidator.php(new)
Security Impact
- Prevents SQL injection through unsafe use of collection string filters
- Hardens the framework against vulnerable third-party extensions
- Enforces secure-by-default behavior at the framework level
- Provides defense-in-depth without breaking existing safe usage
Compatibility
- Fully backward compatible for correct implementations
- Magento core code unaffected
- Only unsafe usage patterns are blocked
- Clear error messaging guides developers to safer APIs