Fix: wrap string values in $literal to prevent expression misinterpretation

WaVEV · WaVEV · commit f41a94b4cd1f · 2025-11-12T22:13:32.000-03:00
diff --git a/django_mongodb_backend/expressions/builtins.py b/django_mongodb_backend/expressions/builtins.py
@@ -211,9 +211,9 @@ def when(self, compiler, connection):
 
 def value(self, compiler, connection, as_expr=False):  # noqa: ARG001
     value = self.value
-    if isinstance(value, (list, int)) and as_expr:
-        # Wrap lists & numbers in $literal to prevent ambiguity when Value
-        # appears in $project.
+    if isinstance(value, (list, int, str)) and as_expr:
+        # Wrap lists, numbers, and strings in $literal to avoid ambiguity when Value
+        # is used in queries' aggregate or update_many's $set.
         return {"$literal": value}
     if isinstance(value, Decimal):
         return Decimal128(value)
diff --git a/tests/basic_/tests.py b/tests/basic_/tests.py
@@ -1,3 +1,4 @@
+from django.db.models import Value
 from django.test import TestCase
 
 from django_mongodb_backend.test import MongoTestCaseMixin
@@ -11,3 +12,18 @@ def test_insert_dollar_prefix(self):
         obj = Author.objects.create(name="$foobar")
         obj.refresh_from_db()
         self.assertEqual(obj.name, "$foobar")
+
+
+class QueryDollarPrefixTests(MongoTestCaseMixin, TestCase):
+    def test_query_injection(self):
+        """$-prefixed Value() expressions are correctly handled on update."""
+        Author.objects.create(name="Gustavo")
+        Author.objects.create(name="Walter")
+        with self.assertNumQueries(1) as ctx:
+            qs = list(Author.objects.annotate(a_value=Value("$name")))
+        self.assertTrue(all(v.a_value == "$name" for v in qs))
+        self.assertAggregateQuery(
+            ctx.captured_queries[0]["sql"],
+            "basic__author",
+            [{"$project": {"a_value": {"$literal": "$name"}, "_id": 1, "name": 1}}],
+        )
diff --git a/tests/model_fields_/test_embedded_model_array.py b/tests/model_fields_/test_embedded_model_array.py
@@ -327,8 +327,18 @@ def test_nested_array_index_expr(self):
                                                     },
                                                     {
                                                         "$concat": [
-                                                            {"$ifNull": ["Z", ""]},
-                                                            {"$ifNull": ["acarias", ""]},
+                                                            {
+                                                                "$ifNull": [
+                                                                    {"$literal": "Z"},
+                                                                    {"$literal": ""},
+                                                                ]
+                                                            },
+                                                            {
+                                                                "$ifNull": [
+                                                                    {"$literal": "acarias"},
+                                                                    {"$literal": ""},
+                                                                ]
+                                                            },
                                                         ]
                                                     },
                                                 ]
