From 6c3dfba89215fc56fc27ef61829a6fff88be4abb Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Sun, 15 Sep 2019 23:25:50 -0400 Subject: [PATCH] Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. This was a regression introduced by 7deeabc7c7526786df6894429ce89a9c4b614086 to address CVE-2019-14234. Thanks Tim Kleinschmidt for the report and Mariusz for the tests. --- django/contrib/postgres/fields/hstore.py | 2 +- django/contrib/postgres/fields/jsonb.py | 2 +- docs/releases/1.11.25.txt | 4 +++- docs/releases/2.1.13.txt | 4 +++- docs/releases/2.2.6.txt | 5 +++++ tests/postgres_tests/test_hstore.py | 8 +++++++- tests/postgres_tests/test_json.py | 8 +++++++- 7 files changed, 27 insertions(+), 6 deletions(-) diff --git a/django/contrib/postgres/fields/hstore.py b/django/contrib/postgres/fields/hstore.py index 9548d180c9a..0889f600a50 100644 --- a/django/contrib/postgres/fields/hstore.py +++ b/django/contrib/postgres/fields/hstore.py @@ -86,7 +86,7 @@ class KeyTransform(Transform): def as_sql(self, compiler, connection): lhs, params = compiler.compile(self.lhs) - return '(%s -> %%s)' % lhs, params + [self.key_name] + return '(%s -> %%s)' % lhs, tuple(params) + (self.key_name,) class KeyTransformFactory: diff --git a/django/contrib/postgres/fields/jsonb.py b/django/contrib/postgres/fields/jsonb.py index 821a747b9c6..30c48a60185 100644 --- a/django/contrib/postgres/fields/jsonb.py +++ b/django/contrib/postgres/fields/jsonb.py @@ -112,7 +112,7 @@ class KeyTransform(Transform): lookup = int(self.key_name) except ValueError: lookup = self.key_name - return '(%s %s %%s)' % (lhs, self.operator), params + [lookup] + return '(%s %s %%s)' % (lhs, self.operator), tuple(params) + (lookup,) class KeyTextTransform(KeyTransform): diff --git a/docs/releases/1.11.25.txt b/docs/releases/1.11.25.txt index 4195e8cbe0b..0e9e2d7ee59 100644 --- a/docs/releases/1.11.25.txt +++ b/docs/releases/1.11.25.txt @@ -9,4 +9,6 @@ Django 1.11.25 fixes a regression in 1.11.23. Bugfixes ======== -* ... +* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset + containing :class:`~django.contrib.postgres.fields.JSONField` or + :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`). diff --git a/docs/releases/2.1.13.txt b/docs/releases/2.1.13.txt index bd6fdad2b3e..33b2ea21b00 100644 --- a/docs/releases/2.1.13.txt +++ b/docs/releases/2.1.13.txt @@ -9,4 +9,6 @@ Django 2.1.13 fixes a regression in 2.1.11. Bugfixes ======== -* ... +* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset + containing :class:`~django.contrib.postgres.fields.JSONField` or + :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`). diff --git a/docs/releases/2.2.6.txt b/docs/releases/2.2.6.txt index 59c29ef0a67..49d758abda2 100644 --- a/docs/releases/2.2.6.txt +++ b/docs/releases/2.2.6.txt @@ -11,3 +11,8 @@ Bugfixes * Fixed migrations crash on SQLite when altering a model containing partial indexes (:ticket:`30754`). + +* Fixed a regression in Django 2.2.4 that caused a crash when filtering with a + ``Subquery()`` annotation of a queryset containing + :class:`~django.contrib.postgres.fields.JSONField` or + :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`). diff --git a/tests/postgres_tests/test_hstore.py b/tests/postgres_tests/test_hstore.py index 502c8447fcb..a3fae1ec663 100644 --- a/tests/postgres_tests/test_hstore.py +++ b/tests/postgres_tests/test_hstore.py @@ -2,7 +2,7 @@ import json from django.core import checks, exceptions, serializers from django.db import connection -from django.db.models.expressions import RawSQL +from django.db.models.expressions import OuterRef, RawSQL, Subquery from django.forms import Form from django.test.utils import CaptureQueriesContext, isolate_apps @@ -207,6 +207,12 @@ class TestQuerying(PostgreSQLTestCase): queries[0]['sql'], ) + def test_obj_subquery_lookup(self): + qs = HStoreModel.objects.annotate( + value=Subquery(HStoreModel.objects.filter(pk=OuterRef('pk')).values('field')), + ).filter(value__a='b') + self.assertSequenceEqual(qs, self.objs[:2]) + @isolate_apps('postgres_tests') class TestChecks(PostgreSQLSimpleTestCase): diff --git a/tests/postgres_tests/test_json.py b/tests/postgres_tests/test_json.py index 333ed46bf10..39cba8f695d 100644 --- a/tests/postgres_tests/test_json.py +++ b/tests/postgres_tests/test_json.py @@ -6,7 +6,7 @@ from decimal import Decimal from django.core import checks, exceptions, serializers from django.core.serializers.json import DjangoJSONEncoder from django.db import connection -from django.db.models import Count, F, Q +from django.db.models import Count, F, OuterRef, Q, Subquery from django.db.models.expressions import RawSQL from django.db.models.functions import Cast from django.forms import CharField, Form, widgets @@ -303,6 +303,12 @@ class TestQuerying(PostgreSQLTestCase): [self.objs[7], self.objs[8]] ) + def test_obj_subquery_lookup(self): + qs = JSONModel.objects.annotate( + value=Subquery(JSONModel.objects.filter(pk=OuterRef('pk')).values('field')), + ).filter(value__a='b') + self.assertSequenceEqual(qs, [self.objs[7], self.objs[8]]) + def test_deep_lookup_objs(self): self.assertSequenceEqual( JSONModel.objects.filter(field__k__l='m'),