summaryrefslogtreecommitdiff
path: root/tests/postgres_tests/test_json.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/postgres_tests/test_json.py')
-rw-r--r--tests/postgres_tests/test_json.py15
1 files changed, 14 insertions, 1 deletions
diff --git a/tests/postgres_tests/test_json.py b/tests/postgres_tests/test_json.py
index 2f0b55a292..e58c7a2e7f 100644
--- a/tests/postgres_tests/test_json.py
+++ b/tests/postgres_tests/test_json.py
@@ -4,9 +4,10 @@ from decimal import Decimal
from django.core import checks, exceptions, serializers
from django.core.serializers.json import DjangoJSONEncoder
+from django.db import connection
from django.db.models import Q
from django.forms import CharField, Form, widgets
-from django.test.utils import isolate_apps
+from django.test.utils import CaptureQueriesContext, isolate_apps
from django.utils.html import escape
from . import PostgreSQLTestCase
@@ -299,6 +300,18 @@ class TestQuerying(PostgreSQLTestCase):
def test_iregex(self):
self.assertTrue(JSONModel.objects.filter(field__foo__iregex=r'^bAr$').exists())
+ def test_key_sql_injection(self):
+ with CaptureQueriesContext(connection) as queries:
+ self.assertFalse(
+ JSONModel.objects.filter(**{
+ """field__test' = '"a"') OR 1 = 1 OR ('d""": 'x',
+ }).exists()
+ )
+ self.assertIn(
+ """."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """,
+ queries[0]['sql'],
+ )
+
@isolate_apps('postgres_tests')
class TestChecks(PostgreSQLTestCase):
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 04:51:16 +0000