diff options
| author | Simon Charette <charette.s@gmail.com> | 2024-11-08 21:27:31 -0500 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-12-04 14:32:17 +0100 |
| commit | 7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 (patch) | |
| tree | d1a37f839bd94179b3e357a0bbc356051fe74397 /tests | |
| parent | 790eb058b0716c536a2f2e8d1c6d5079d776c22b (diff) | |
[4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.
Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah
Boyce for the reviews.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/model_fields/test_jsonfield.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/model_fields/test_jsonfield.py b/tests/model_fields/test_jsonfield.py index 4a1cc075b4..4c8d14bf9a 100644 --- a/tests/model_fields/test_jsonfield.py +++ b/tests/model_fields/test_jsonfield.py @@ -29,6 +29,7 @@ from django.db.models import ( from django.db.models.expressions import RawSQL from django.db.models.fields.json import ( KT, + HasKey, KeyTextTransform, KeyTransform, KeyTransformFactory, @@ -607,6 +608,14 @@ class TestQuerying(TestCase): [expected], ) + def test_has_key_literal_lookup(self): + self.assertSequenceEqual( + NullableJSONModel.objects.filter( + HasKey(Value({"foo": "bar"}, JSONField()), "foo") + ).order_by("id"), + self.objs, + ) + def test_has_key_list(self): obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}]) tests = [ |
