payloadcms
diff --git a/‎packages/drizzle/src/find/traverseFields.ts‎
Lines changed: 14 additions & 1 deletion b/‎packages/drizzle/src/find/traverseFields.ts‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎packages/drizzle/src/postgres/createJSONQuery/index.ts‎
Lines changed: 2 additions & 1 deletion b/‎packages/drizzle/src/postgres/createJSONQuery/index.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/drizzle/src/queries/parseParams.ts‎
Lines changed: 5 additions & 1 deletion b/‎packages/drizzle/src/queries/parseParams.ts‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎packages/drizzle/src/sqlite/createJSONQuery/convertPathToJSONTraversal.ts‎
Lines changed: 5 additions & 1 deletion b/‎packages/drizzle/src/sqlite/createJSONQuery/convertPathToJSONTraversal.ts‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎packages/drizzle/src/sqlite/createJSONQuery/index.ts‎
Lines changed: 13 additions & 11 deletions b/‎packages/drizzle/src/sqlite/createJSONQuery/index.ts‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎packages/drizzle/src/utilities/json.ts‎
Lines changed: 10 additions & 1 deletion b/‎packages/drizzle/src/utilities/json.ts‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎packages/drizzle/src/utilities/sanitizePathSegment.ts‎
Lines changed: 18 additions & 0 deletions b/‎packages/drizzle/src/utilities/sanitizePathSegment.ts‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎packages/next/src/views/Account/ResetPreferences/index.tsx‎
Lines changed: 2 additions & 4 deletions b/‎packages/next/src/views/Account/ResetPreferences/index.tsx‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎packages/payload/src/database/getLocalizedPaths.ts‎
Lines changed: 2 additions & 1 deletion b/‎packages/payload/src/database/getLocalizedPaths.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/payload/src/database/queryValidation/validateQueryPaths.ts‎
Lines changed: 1 addition & 1 deletion b/‎packages/payload/src/database/queryValidation/validateQueryPaths.ts‎
Lines changed: 1 addition & 1 deletion
@@ -27,6 +27,7 @@ import { getArrayRelationName } from '../utilities/getArrayRelationName.js'
 import { getNameFromDrizzleTable } from '../utilities/getNameFromDrizzleTable.js'
 import { jsonAggBuildObject } from '../utilities/json.js'
 import { rawConstraint } from '../utilities/rawConstraint.js'
+import { sanitizePathSegment } from '../utilities/sanitizePathSegment.js'
 import {
   InternalBlockTableNameIndex,
   resolveBlockTableName,
@@ -63,6 +64,9 @@ const buildSQLWhere = (where: Where, alias: string) => {
 
       const value = where[k][payloadOperator]
       if (payloadOperator === '$raw') {
+        if (typeof value !== 'string') {
+          return undefined
+        }
         return sql.raw(value)
       }
 
@@ -75,7 +79,16 @@ const buildSQLWhere = (where: Where, alias: string) => {
         payloadOperator = 'isNull'
       }
 
-      return operatorMap[payloadOperator](sql.raw(`"${alias}"."${k.split('.').join('_')}"`), value)
+      if (!(payloadOperator in operatorMap)) {
+        return undefined
+      }
+
+      const sanitizedColumnName = k
+        .split('.')
+        .map((s) => sanitizePathSegment(s))
+        .join('_')
+
+      return operatorMap[payloadOperator](sql.raw(`"${alias}"."${sanitizedColumnName}"`), value)
     }
   }
 }
 
@@ -3,6 +3,7 @@ import { APIError } from 'payload'
 import type { CreateJSONQueryArgs } from '../../types.js'
 
 import { SAFE_STRING_REGEX } from '../../utilities/escapeSQLValue.js'
+import { sanitizePathSegment } from '../../utilities/sanitizePathSegment.js'
 
 const operatorMap: Record<string, string> = {
   contains: '~',
@@ -43,7 +44,7 @@ export const createJSONQuery = ({ column, operator, pathSegments, value }: Creat
   const jsonPaths = pathSegments
     .slice(1)
     .map((key) => {
-      return `${key}[*]`
+      return `${sanitizePathSegment(key)}[*]`
     })
     .join('.')
 
 
@@ -185,7 +185,11 @@ export function parseParams({
                   }
 
                   let formattedValue = val
-                  if (adapter.name === 'sqlite' && operator === 'equals' && !isNaN(val)) {
+                  if (
+                    adapter.name === 'sqlite' &&
+                    operator === 'equals' &&
+                    (typeof val === 'number' || typeof val === 'boolean')
+                  ) {
                     formattedValue = val
                   } else if (['in', 'not_in'].includes(operator) && Array.isArray(val)) {
                     formattedValue = `(${val.map((v) => `${escapeSQLValue(v)}`).join(',')})`
 
@@ -1,9 +1,13 @@
+import { sanitizePathSegment } from '../../utilities/sanitizePathSegment.js'
+
 export const convertPathToJSONTraversal = (incomingSegments: string[]): string => {
   const segments = [...incomingSegments]
   segments.shift()
 
   return segments.reduce((res, segment) => {
-    const formattedSegment = Number.isNaN(parseInt(segment)) ? `'${segment}'` : segment
+    const formattedSegment = Number.isNaN(parseInt(segment))
+      ? `'${sanitizePathSegment(segment)}'`
+      : segment
     return `${res}->>${formattedSegment}`
   }, '')
 }
@@ -1,6 +1,7 @@
 import type { CreateJSONQueryArgs } from '../../types.js'
 
 import { escapeSQLValue } from '../../utilities/escapeSQLValue.js'
+import { sanitizePathSegment } from '../../utilities/sanitizePathSegment.js'
 
 type FromArrayArgs = {
   isRoot?: true
@@ -20,11 +21,12 @@ const fromArray = ({
   value,
 }: FromArrayArgs) => {
   const newPathSegments = pathSegments.slice(1)
-  const alias = `${pathSegments[isRoot ? 0 : 1]}_alias_${newPathSegments.length}`
+  const sanitizedSegment = sanitizePathSegment(pathSegments[isRoot ? 0 : 1])
+  const alias = `${sanitizedSegment}_alias_${newPathSegments.length}`
 
   return `EXISTS (
     SELECT 1
-    FROM json_each(${table}.${pathSegments[0]}) AS ${alias}
+    FROM json_each(${table}.${sanitizePathSegment(pathSegments[0])}) AS ${alias}
     WHERE ${createJSONQuery({
       operator,
       pathSegments: newPathSegments,
@@ -61,25 +63,25 @@ const createConstraint = ({
 
   if (operator === 'exists') {
     if (pathSegments.length === 1) {
-      return `EXISTS (SELECT 1 FROM json_each("${pathSegments[0]}") AS ${newAlias})`
+      return `EXISTS (SELECT 1 FROM json_each("${sanitizePathSegment(pathSegments[0])}") AS ${newAlias})`
     }
 
     return `EXISTS (
       SELECT 1
-      FROM json_each(${alias}.value -> '${pathSegments[0]}') AS ${newAlias}
-      WHERE ${newAlias}.key = '${pathSegments[1]}'
+      FROM json_each(${alias}.value -> '${sanitizePathSegment(pathSegments[0])}') AS ${newAlias}
+      WHERE ${newAlias}.key = '${sanitizePathSegment(pathSegments[1])}'
     )`
   }
 
   if (operator === 'not_exists') {
     if (pathSegments.length === 1) {
-      return `NOT EXISTS (SELECT 1 FROM json_each("${pathSegments[0]}") AS ${newAlias})`
+      return `NOT EXISTS (SELECT 1 FROM json_each("${sanitizePathSegment(pathSegments[0])}") AS ${newAlias})`
     }
 
     return `NOT EXISTS (
       SELECT 1
-      FROM json_each(${alias}.value -> '${pathSegments[0]}') AS ${newAlias}
-      WHERE ${newAlias}.key = '${pathSegments[1]}'
+      FROM json_each(${alias}.value -> '${sanitizePathSegment(pathSegments[0])}') AS ${newAlias}
+      WHERE ${newAlias}.key = '${sanitizePathSegment(pathSegments[1])}'
     )`
   }
 
@@ -96,13 +98,13 @@ const createConstraint = ({
   }
 
   if (pathSegments.length === 1) {
-    return `EXISTS (SELECT 1 FROM json_each("${pathSegments[0]}") AS ${newAlias} WHERE ${newAlias}.value ${formattedOperator} '${formattedValue}')`
+    return `EXISTS (SELECT 1 FROM json_each("${sanitizePathSegment(pathSegments[0])}") AS ${newAlias} WHERE ${newAlias}.value ${formattedOperator} '${formattedValue}')`
   }
 
   return `EXISTS (
   SELECT 1
-  FROM json_each(${alias}.value -> '${pathSegments[0]}') AS ${newAlias}
-  WHERE COALESCE(${newAlias}.value ->> '${pathSegments[1]}', '') ${formattedOperator} '${formattedValue}'
+  FROM json_each(${alias}.value -> '${sanitizePathSegment(pathSegments[0])}') AS ${newAlias}
+  WHERE COALESCE(${newAlias}.value ->> '${sanitizePathSegment(pathSegments[1])}', '') ${formattedOperator} '${formattedValue}'
   )`
 }
 
 
@@ -1,9 +1,12 @@
 import type { Column, SQL } from 'drizzle-orm'
 
 import { sql } from 'drizzle-orm'
+import { APIError } from 'payload'
 
 import type { DrizzleAdapter } from '../types.js'
 
+const SAFE_KEY_REGEX = /^\w+$/
+
 export function jsonAgg(adapter: DrizzleAdapter, expression: SQL) {
   if (adapter.name === 'sqlite') {
     return sql`coalesce(json_group_array(${expression}), '[]')`
@@ -13,7 +16,7 @@ export function jsonAgg(adapter: DrizzleAdapter, expression: SQL) {
 }
 
 /**
- * @param shape Potential for SQL injections, so you shouldn't allow user-specified key names
+ * @param shape Keys are interpolated into raw SQL — only use trusted, internally-generated key names
  */
 export function jsonBuildObject<T extends Record<string, Column | SQL>>(
   adapter: DrizzleAdapter,
@@ -22,6 +25,12 @@ export function jsonBuildObject<T extends Record<string, Column | SQL>>(
   const chunks: SQL[] = []
 
   Object.entries(shape).forEach(([key, value]) => {
+    if (!SAFE_KEY_REGEX.test(key)) {
+      throw new APIError(
+        'Unsafe key passed to jsonBuildObject. Only alphanumeric characters and underscores are allowed.',
+        500,
+      )
+    }
     if (chunks.length > 0) {
       chunks.push(sql.raw(','))
     }
 
@@ -0,0 +1,18 @@
+import { APIError } from 'payload'
+
+/**
+ * Validates that a path segment contains only allowed characters (word characters: [a-zA-Z0-9_]).
+ *
+ * @throws {APIError} if the segment contains characters outside /^[\w]+$/
+ */
+const SAFE_PATH_SEGMENT_REGEX = /^\w+$/
+
+export const sanitizePathSegment = (segment: string): string => {
+  if (!SAFE_PATH_SEGMENT_REGEX.test(segment)) {
+    throw new APIError(
+      'Invalid path segment. Only alphanumeric characters and underscores are permitted.',
+      400,
+    )
+  }
+  return segment
+}
@@ -35,10 +35,8 @@ export const ResetPreferences: React.FC<{
       {
         depth: 0,
         where: {
-          user: {
-            id: {
-              equals: user.id,
-            },
+          'user.value': {
+            equals: user.id,
           },
         },
       },
 
@@ -7,6 +7,7 @@ import {
   type FlattenedField,
 } from '../fields/config/types.js'
 import { APIError, type Payload, type SanitizedCollectionConfig } from '../index.js'
+import { SAFE_FIELD_PATH_REGEX } from '../types/constants.js'
 
 export function getLocalizedPaths({
   collectionSlug,
@@ -209,7 +210,7 @@ export function getLocalizedPaths({
           case 'richText': {
             const upcomingSegments = pathSegments.slice(i + 1).join('.')
             pathSegments.forEach((path) => {
-              if (!/^\w+(?:\.\w+)*$/.test(path)) {
+              if (!SAFE_FIELD_PATH_REGEX.test(path)) {
                 lastIncompletePath.invalid = true
               }
             })
 
@@ -101,7 +101,7 @@ export async function validateQueryPaths({
                 versionFields,
               }),
             )
-          } else if (typeof val !== 'object' || val === null) {
+          } else {
             errors.push({ path: `${path}.${operator}` })
           }
         }
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ export async function validateQueryPaths({`
`101`	`101`	`versionFields,`
`102`	`102`	`}),`
`103`	`103`	`)`
`104`		`- } else if (typeof val !== 'object' \|\| val === null) {`
	`104`	`+ } else {`
`105`	`105`	errors.push({ path: `${path}.${operator}` })
`106`	`106`	`}`
`107`	`107`	`}`