Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.

Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2025-10-23 21:59:11 +00:00 · 2024-11-08 21:27:31 -05:00
parent 49ff1042aa
commit 8f8dc5a1fc
5 changed files with 73 additions and 19 deletions
--- a/tests/model_fields/test_jsonfield.py
+++ b/tests/model_fields/test_jsonfield.py
@@ -29,6 +29,7 @@ from django.db.models import (
 from django.db.models.expressions import RawSQL
 from django.db.models.fields.json import (
    KT,
+    HasKey,
    KeyTextTransform,
    KeyTransform,
    KeyTransformFactory,
@@ -582,6 +583,14 @@ class TestQuerying(TestCase):
                    [expected],
                )

+    def test_has_key_literal_lookup(self):
+        self.assertSequenceEqual(
+            NullableJSONModel.objects.filter(
+                HasKey(Value({"foo": "bar"}, JSONField()), "foo")
+            ).order_by("id"),
+            self.objs,
+        )
+
    def test_has_key_list(self):
        obj = NullableJSONModel.objects.create(value=[{"a": 1}, {"b": "x"}])
        tests = [