diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-09-24 15:54:51 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-05 09:20:57 -0300 |
| commit | 98e642c69181c942d60a10ca0085d48c6b3068bb (patch) | |
| tree | a6faa02ecaf199943af42b4ebd18d650c9bff6c5 /tests/queries | |
| parent | c880530ddd4fabd5939bab0e148bebe36699432a (diff) | |
Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Diffstat (limited to 'tests/queries')
| -rw-r--r-- | tests/queries/test_q.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py index 1a62aca061..52200b2ecf 100644 --- a/tests/queries/test_q.py +++ b/tests/queries/test_q.py @@ -272,6 +272,11 @@ class QTests(SimpleTestCase): Q(*items, _connector=connector), ) + def test_connector_validation(self): + msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." + with self.assertRaisesMessage(ValueError, msg): + Q(_connector="evil") + def test_referenced_base_fields(self): # Make sure Q.referenced_base_fields retrieves all base fields from # both filters and F expressions. |