summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2024-11-08 21:27:31 -0500
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-12-04 14:32:17 +0100
commit7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 (patch)
treed1a37f839bd94179b3e357a0bbc356051fe74397 /tests
parent790eb058b0716c536a2f2e8d1c6d5079d776c22b (diff)
[4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.
Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
Diffstat (limited to 'tests')
-rw-r--r--tests/model_fields/test_jsonfield.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/model_fields/test_jsonfield.py b/tests/model_fields/test_jsonfield.py
index 4a1cc075b4..4c8d14bf9a 100644
--- a/tests/model_fields/test_jsonfield.py
+++ b/tests/model_fields/test_jsonfield.py
@@ -29,6 +29,7 @@ from django.db.models import (
from django.db.models.expressions import RawSQL
from django.db.models.fields.json import (
KT,
+ HasKey,
KeyTextTransform,
KeyTransform,
KeyTransformFactory,
@@ -607,6 +608,14 @@ class TestQuerying(TestCase):
[expected],
)
+ def test_has_key_literal_lookup(self):
+ self.assertSequenceEqual(
+ NullableJSONModel.objects.filter(
+ HasKey(Value({"foo": "bar"}, JSONField()), "foo")
+ ).order_by("id"),
+ self.objs,
+ )
+
def test_has_key_list(self):
obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}])
tests = [