INTPYTHON-827 Fix Model.save() updates and QuerySet.update() for $-prefixed strings

[WaVEV]

INTPYTHON-827

Summary

This PR fixes unsafe handling of $-prefixed values during save() and update() operations in the Django MongoDB backend.
Values like {"$concat": [...]} or ("$name", "-", "$name") were previously interpreted as MongoDB operators instead of being stored literally.
The patch ensures that all such values are wrapped with $literal when appropriate, preventing unintended expression or operator injection.

Changes in this PR

• Updated value compilation to wrap dict, tuple, string, and numeric values in $literal where needed.
• Update SQLUpdateCompiler to wrap any direct value (i.e. string, dict, tuple, etc).

Test Plan

• Added unit tests verifying that $-prefixed values are safely stored and not interpreted as expressions.
• Tested scenarios for dicts, tuples, and Value() wrappers.
• Verified that regular (non-$-prefixed) values are unaffected (basic unit test from Django)

Checklist

Checklist for Author

• Did you update the changelog (if necessary)?
• Is the intention of the code captured in relevant tests?
• If there are new TODOs, has a related JIRA ticket been created?

Checklist for Reviewer @Jibola @aclark4life @timgraham

• Does the title of the PR reference a JIRA Ticket?
• Do you fully understand the implementation?
• Have you checked for spelling & grammar errors?
• Is all relevant documentation (README or docstring) updated?

Focus Areas for Reviewer

Pay attention to the logic handling $literal wrapping in value compilation.

[timgraham]

Did you forget to git add a new file with the test?

[WaVEV]

Did you forget to git add a new file with the test?

Yes

[timgraham]

Is it necessary to wrap all values? Are there problems with other types? Our logic in Value() only wraps list/int/str.

[WaVEV]

A unit test (test_update_dollar_prefix_in_value_expression) shows the issue. Because we could update passing an expression, and the expression could be Value("$update")

[timgraham]

What I meant: Is it necessary to wrap all direct values?

[WaVEV]

understood, 🤔 . Will try to make a test and try to inject something.

[WaVEV]

well, 🤔. maybe only string should be wrapped, not any kind of value.

EDIT
it is possible:

def test_update_dict(self):
        obj = Author.objects.create(name="foobar")
        obj.name = Value({"$concat": ["$name", "-", "$name"]})
        obj.save()
        obj.refresh_from_db()
        self.assertEqual(obj.name, {"$concat": ["$name", "-", "$name"]})

this tails fails and the name was update as foobar-foobar
I think we should scape any kind of literal

[timgraham]

That seems sufficient to me.

[WaVEV]

Another case:

def test_update_dictvalue(self):
        obj = Author.objects.create(name="foobar", data={})
        obj.data = {"$concat": ["$name", "-", "$name"]}
        obj.save()
        obj.refresh_from_db()
        self.assertEqual(obj.data, {"$concat": ["$name", "-", "$name"]})

If the field is a JSONField. Any kind of type that could be a MongoDB query, could be exploitable.
I think wrapping al values will bring us a safe net.

[timgraham]

new_values -> expected_values?
expected_pipeline -> expected_condition?

[timgraham]

update_many

[timgraham]

Not a regression test so should be a separate commit.

[WaVEV]

🤔 I though I need to test also the save process, but the insertion isn't a problem. So could we remove this test? or it is a nice to have?

[timgraham]

Nothing wrong with more tests, just saying that additional test coverage should be added in a separate commit so it's easy to identify what a commit does and doesn't fix.

[timgraham]

Per https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/#python-style, "In test docstrings, state the expected behavior that each test demonstrates. Don’t include preambles such as “Tests that” or “Ensures that”."

[timgraham]

The fix for Value could be a separate commit. Also, add a test in expressions_/test_value.py.

[WaVEV]

Ok, will separate the commits.

[timgraham]

I know what you mean, but I think "$update" isn't a thing.

[WaVEV]

A rushed comment, there is nothing called that in our pipeline. should be rewritten.

[WaVEV]

All the str should be wrapped.

def test_query_injection(self):
        obj1 = Author.objects.create(name="Gustavo")
        obj2 = Author.objects.create(name="Walter")
        with self.assertNumQueries(1) as ctx:
            qs = list(Author.objects.annotate(a_value=Value("$name")))
        print(ctx.captured_queries[0]["sql"])
        print(qs)

the generated mql is:
db.basic__author.aggregate([{'$project': {'a_value': '$name', '_id': 1, 'name': 1}}])
and the results are:

qs[0].a_value == "Gustavo"
qs[1].a_value == "Walter"

So the code was injected. the expected value is a constant value "$name"

[timgraham]

You can add tests/basic_/tests.py for basic model operations tests. So I see three commits: add insert test, fix update, fix update with Value()

[timgraham]

obj.refresh_from_db()

[timgraham]

the assignment can be outside the with.