summaryrefslogtreecommitdiff
path: root/tests/expressions
AgeCommit message (Collapse)Author
2026-02-27Refs #35972 -- Returned params in a tuple in further expressions.Jacob Walls
2026-02-12Added extra pattern lookup escaping cases in tests/expressions/tests.py.Tim Graham
These new cases have regex characters that must be escaped by backends like MongoDB.
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-01-20Fixed #36030 -- Fixed precision loss in division of Decimal literals on SQLite.VIZZARD-X
Thanks Bob Kline for the review.
2025-11-24Fixed #36751 -- Fixed empty filtered aggregation crash over annotated queryset.Simon Charette
Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage.
2025-10-01Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
2025-09-14Fixed #27222 -- Refreshed model field values assigned expressions on save().Simon Charette
Removed the can_return_columns_from_insert skip gates on existing field_defaults tests to confirm the expected number of queries are performed and that returning field overrides are respected.
2025-08-29Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵Jacob Walls
values().
2025-08-07Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups ↵Jacob Walls
against composite pks. Follow-up to 8561100425876bde3be4b2a22324655f74ff9609. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-08-07Refs #36210 -- Added missing limits in Subquery tests.Jacob Walls
2025-08-04Fixed #35972 -- Fixed lookup crashes after subquery annotations.Jacob Walls
2025-06-16Fixed #36453 -- Made When.condition resolve with for_save=False.Clifford Gama
Value(None, JSONField()) when used in When.condition incorrectly resolved with for_save=True, resulting in the value being serialized as SQL NULL instead of JSON null. Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940. Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes for the review. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-03-01Fixed #36198 -- Implemented unresolved transform expression replacement.Simon Charette
This allows the proper resolving of F("field__transform") when performing constraint validation. Thanks Tom Hall for the report and Sarah for the test.
2025-02-15Fixed #36173 -- Stabilized identity of Concat with an explicit output_field.Simon Charette
When Expression.__init__() overrides make use of *args, **kwargs captures their argument values are respectively bound as a tuple and dict instances. These composite values might themselves contain values that require special identity treatments such as Concat(output_field) as it's a Field instance. Refs #30628 which introduced bound Field differentiation but lacked argument captures handling. Thanks erchenstein for the report.
2025-02-06Fixed #36025 -- Fixed re-aliasing of iterable (in/range) lookups rhs.Simon Charette
In order for Expression.relabeled_clone to work appropriately its get_source_expressions method must return all resolvable which wasn't the case for Lookup when its right-hand-side is "direct" (not a compilable). While refs #22288 added support for non-literals iterable right-hand-side lookups it predated the subclassing of Lookup(Expression) refs #27021 which could have been an opportunity to ensure right-hand-sides are always resolvable (ValueList and ExpressionList). Addressing all edge case with non-resolvable right-hand-sides would require a significant refactor and deprecation of some parts of the Lookup interface so this patch only focuses on FieldGetDbPrepValueIterableMixin (In and Range lookups) by making sure that a right-hand-side containing resolvables are dealt with appropriately during the resolving phase. Thanks Aashay Amballi for the report.
2025-01-30Fixed #35235 -- Removed caching of BaseExpression._output_field_or_none.sharonwoo
2024-09-17Refs #373, Refs #24121 -- Added ColPairs.__repr__().Bendeguz Csirmaz
2024-08-13Fixed #35665 -- Fixed a crash when passing an empty order_by to Window.Simon Charette
This also caused un-ordered sliced prefetches to crash as they rely on Window. Regression in e16d0c176e9b89628cdec5e58c418378c4a2436a that made OrderByList piggy-back ExpressionList without porting the empty handling that the latter provided. Supporting explicit empty ordering on Window functions and slicing is arguably a foot-gun design due to how backends will return undeterministic results but this is a problem that requires a larger discussion. Refs #35064. Thanks Andrew Backer for the report and Mariusz for the review.
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-07-23Refs #29049 -- Fixed isolation of ↵Mariusz Felisiak
BasicExpressionsTests._test_slicing_of_f_expressions() subtests. Thanks Tim Graham for the report.
2024-07-18Fixed #35603 -- Prevented F.__contains__() from hanging.Simon Charette
Regression in 94b6f101f7dc363a8e71593570b17527dbb9f77f.
2024-06-21Fixed Number.__str__() crash when float/decimal_value is None in expressions ↵Tim Graham
tests models.
2024-05-14Fixed #35275 -- Fixed Meta.constraints validation crash on UniqueConstraint ↵Mariusz Felisiak
with OpClass(). This also introduces Expression.constraint_validation_compatible that allows specifying that expression should be ignored during a constraint validation.
2024-03-21Fixed #35257 -- Corrected resolving output_field for ↵sharonwoo
IntegerField/DecimalField with NULL.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-16Fixed #35111 -- Fixed compilation of DateField __in/__range rhs on SQLite ↵Simon Charette
and MySQL. Also removed tests that ensured that adapt_(date)timefield backend operations where able to deal with expressions when it's not the case for any other adapt methods.
2024-01-16Refs #22288 -- Corrected __range lookup test names.Simon Charette
2023-12-30Fixed #29049 -- Added slicing notation to F expressions.Nick Pope
Co-authored-by: Priyansh Saxena <askpriyansh@gmail.com> Co-authored-by: Niclas Olofsson <n@niclasolofsson.se> Co-authored-by: David Smith <smithdc@gmail.com> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Abhinav Yadav <abhinav.sny.2002@gmail.com>
2023-11-14Reverted "Refs #30446, Refs #34944 -- Fixed crash when adding GeneratedField ↵Mariusz Felisiak
with string Value()." This reverts commit 8b1acc0440418ac8f45ba48e2dfcf5126c83341b.
2023-11-08Refs #30446, Refs #34944 -- Fixed crash when adding GeneratedField with ↵Simon Charette
string Value(). This should allow smarter output_field inferring in functions dealing with text expressions. Regression in f333e3513e8bdf5ffeb6eeb63021c230082e6f95.
2023-10-04Refs #33482 -- Fixed QuerySet selecting and filtering againts Exists() with ↵Simon Charette
empty queryset. Thanks Tobias Bengfort for the report.
2023-09-22Fixed #34858 -- Corrected resolving output_field for PositiveIntegerField.toan
Regression in 40b8a6174f001a310aa33f7880db0efeeb04d4c4.
2023-09-01Fixed #34803 -- Fixed queryset crash when filtering againts deeply nested ↵willzhao
OuterRef annotations. Thanks Pierre-Nicolas Rigal for the report. Regression in c67ea79aa981ae82595d89f8018a41fcd842e7c9.
2023-08-10Fixed #33817 -- Added support for python-oracledb and deprecated cx_Oracle.Jingbei Li
2023-01-17Refs #33543 -- Made Expression.asc()/desc() and OrderBy raise ValueError ↵Mariusz Felisiak
when nulls_first/nulls_last=False is passed. Per deprecation timeline.
2023-01-16Refs #30129 -- Added test for create() with F() expression in Subquery.sarahboyce
Fixed in 35431298226165986ad07e91f9d3aca721ff38ec.
2022-10-31Fixed #16211 -- Added logical NOT support to F expressions.David Wobrock
2022-10-08Refs #33990 -- Renamed TransactionTestCase.assertQuerysetEqual() to ↵Gregor Gärtner
assertQuerySetEqual(). Co-Authored-By: Michael Howitz <mh@gocept.com>
2022-10-06Refs #30158 -- Removed alias argument for Expression.get_group_by_cols().Simon Charette
Recent refactors allowed GROUP BY aliasing allowed for aliasing to be entirely handled by the sql.Query.set_group_by and compiler layers.
2022-09-27Fixed #33464 -- Resolved output_field for combined numeric expressions with ↵David Wobrock
MOD operator.
2022-05-12Fixed #33543 -- Deprecated passing nulls_first/nulls_last=False to OrderBy ↵Mariusz Felisiak
and Expression.asc()/desc(). Thanks Allen Jonathan David for the initial patch.
2022-04-14Relaxed some query ordering assertions in various tests.Mariusz Felisiak
It accounts for differences seen on MySQL with MyISAM storage engine.
2022-04-11Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and ↵Mariusz Felisiak
extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
2022-03-31Fixed #33397 -- Corrected resolving output_field for ↵Luke Plant
DateField/DateTimeField/TimeField/DurationFields. This includes refactoring of CombinedExpression._resolve_output_field() so it no longer uses the behavior inherited from Expression of guessing same output type if argument types match, and instead we explicitly define the output type of all supported operations. This also makes nonsensical operations involving dates (e.g. date + date) raise a FieldError, and adds support for automatically inferring output_field for cases such as: * date - date * date + duration * date - duration * time + duration * time - time
2022-03-30Refs #33397 -- Added extra tests for resolving an output_field of ↵Luke Plant
CombinedExpression.
2022-03-04Fixed #29865 -- Added logical XOR support for Q() and querysets.Ryan Heard
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-02-07Refs #33482 -- Fixed QuerySet selecting and filtering againts negated ↵Mariusz Felisiak
Exists() with empty queryset. Regression in b7d1da5a62fe4141beff2bfea565f7ef0038c94c.