Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.

Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
author: Simon Charette <charette.s@gmail.com> 2024-11-08 21:27:31 -0500
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-12-04 13:43:13 +0100
commit: 8f8dc5a1fca7d076e749f307f6573af3512e7e99 (patch)
tree: a67db349f768eb36c7e932104ceb36e009b848f2 /tests/model_fields
parent: 49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/model_fields/test_jsonfield.py b/tests/model_fields/test_jsonfield.py
index 4c3dc61176..09f95ce69f 100644
--- a/tests/model_fields/test_jsonfield.py
+++ b/tests/model_fields/test_jsonfield.py
@@ -29,6 +29,7 @@ from django.db.models import (
 from django.db.models.expressions import RawSQL
 from django.db.models.fields.json import (
     KT,
+    HasKey,
     KeyTextTransform,
     KeyTransform,
     KeyTransformFactory,
@@ -582,6 +583,14 @@ class TestQuerying(TestCase):
                     [expected],
                 )
 
+    def test_has_key_literal_lookup(self):
+        self.assertSequenceEqual(
+            NullableJSONModel.objects.filter(
+                HasKey(Value({"foo": "bar"}, JSONField()), "foo")
+            ).order_by("id"),
+            self.objs,
+        )
+
     def test_has_key_list(self):
         obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}])
         tests = [
author	Simon Charette <charette.s@gmail.com>	2024-11-08 21:27:31 -0500
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-12-04 13:43:13 +0100
commit	8f8dc5a1fca7d076e749f307f6573af3512e7e99 (patch)
tree	a67db349f768eb36c7e932104ceb36e009b848f2 /tests/model_fields
parent	49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba (diff)