mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.
Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
This commit is contained in:
		
				
					committed by
					
						 Sarah Boyce
						Sarah Boyce
					
				
			
			
				
	
			
			
			
						parent
						
							49ff1042aa
						
					
				
				
					commit
					8f8dc5a1fc
				
			| @@ -29,6 +29,7 @@ from django.db.models import ( | ||||
| from django.db.models.expressions import RawSQL | ||||
| from django.db.models.fields.json import ( | ||||
|     KT, | ||||
|     HasKey, | ||||
|     KeyTextTransform, | ||||
|     KeyTransform, | ||||
|     KeyTransformFactory, | ||||
| @@ -582,6 +583,14 @@ class TestQuerying(TestCase): | ||||
|                     [expected], | ||||
|                 ) | ||||
|  | ||||
|     def test_has_key_literal_lookup(self): | ||||
|         self.assertSequenceEqual( | ||||
|             NullableJSONModel.objects.filter( | ||||
|                 HasKey(Value({"foo": "bar"}, JSONField()), "foo") | ||||
|             ).order_by("id"), | ||||
|             self.objs, | ||||
|         ) | ||||
|  | ||||
|     def test_has_key_list(self): | ||||
|         obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}]) | ||||
|         tests = [ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user