INTPYTHON-827 Fix Model.save() updates and QuerySet.update() for $-prefixed strings #445
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| from django.db import models | ||
|
|
||
|
|
||
| class Author(models.Model): | ||
| name = models.CharField(max_length=10) | ||
|
|
||
| def __str__(self): | ||
| return self.name | ||
|
|
||
|
|
||
| class Book(models.Model): | ||
| name = models.CharField(max_length=10) | ||
| data = models.JSONField(null=True) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| from operator import attrgetter | ||
|
|
||
| from django.db.models import Value | ||
| from django.test import TestCase | ||
|
|
||
| from django_mongodb_backend.test import MongoTestCaseMixin | ||
|
|
||
| from .models import Author, Book | ||
|
|
||
|
|
||
| class SaveDollarPrefixTests(MongoTestCaseMixin, TestCase): | ||
| def test_insert_dollar_prefix(self): | ||
| """$-prefixed values are correctly saved on insert.""" | ||
| obj = Author.objects.create(name="$foobar") | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.name, "$foobar") | ||
|
|
||
|
|
||
| class UpdateDollarPrefixTests(MongoTestCaseMixin, TestCase): | ||
| def test_update_dollar_prefix(self): | ||
| """$-prefixed values are correctly saved on update.""" | ||
| obj = Author.objects.create(name="foobar") | ||
| obj.name = "$updated" | ||
| with self.assertNumQueries(1) as ctx: | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.name, "$updated") | ||
| self.assertUpdateQuery( | ||
| ctx.captured_queries[0]["sql"], | ||
| "basic__author", | ||
| {"_id": obj.id}, | ||
| [{"$set": {"name": {"$literal": "$updated"}}}], | ||
| ) | ||
|
|
||
| def test_update_dollar_prefix_in_value_expression(self): | ||
| """$-prefixed Value() expressions are correctly handled on update.""" | ||
| obj = Author.objects.create(name="foobar") | ||
| obj.name = Value("$updated") | ||
| with self.assertNumQueries(1) as ctx: | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.name, "$updated") | ||
| self.assertUpdateQuery( | ||
| ctx.captured_queries[0]["sql"], | ||
| "basic__author", | ||
| {"_id": obj.id}, | ||
| [{"$set": {"name": {"$literal": "$updated"}}}], | ||
| ) | ||
|
|
||
| def test_update_dict_value(self): | ||
| """MQL-like dict Value() expressions are correctly handled on update.""" | ||
| obj = Book.objects.create(name="foobar", data={}) | ||
| obj.data = Value({"$concat": ["$name", "-", "$name"]}) | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.data, {"$concat": ["$name", "-", "$name"]}) | ||
|
|
||
| def test_update_dict(self): | ||
| """MQL-like dict updates are correctly handled on update.""" | ||
| obj = Book.objects.create(name="foobar") | ||
| obj.data = {"$concat": ["$name", "-", "$name"]} | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.data, {"$concat": ["$name", "-", "$name"]}) | ||
|
|
||
| def test_update_tuple(self): | ||
| """MQL-like tuple updates are correctly handled on update.""" | ||
| obj = Book.objects.create(name="foobar") | ||
| obj.data = ("$name", "-", "$name") | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.data, ["$name", "-", "$name"]) | ||
|
|
||
| def test_update_tuple_value(self): | ||
| """MQL-like tuple Value() expressions are correctly handled on update.""" | ||
| obj = Book.objects.create(name="foobar") | ||
| obj.data = Value(("$name", "-", "$name")) | ||
| obj.save() | ||
| obj.refresh_from_db() | ||
| self.assertEqual(obj.data, ["$name", "-", "$name"]) | ||
|
|
||
|
|
||
| class QueryDollarPrefixTests(MongoTestCaseMixin, TestCase): | ||
| def test_query_injection(self): | ||
| """$-prefixed Value() expressions are correctly handled on query.""" | ||
| Author.objects.create(name="Gustavo") | ||
| Author.objects.create(name="Walter") | ||
| with self.assertNumQueries(1) as ctx: | ||
| qs = list(Author.objects.annotate(a_value=Value("$name"))) | ||
| self.assertQuerySetEqual(qs, ["$name"] * 2, attrgetter("a_value")) | ||
| self.assertAggregateQuery( | ||
| ctx.captured_queries[0]["sql"], | ||
| "basic__author", | ||
| [{"$project": {"a_value": {"$literal": "$name"}, "_id": 1, "name": 1}}], | ||
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still question whether the $literal escaping is overly broad. Better safe than sorry, sure, but it decreases readability a bit and makes queries larger. But I'm not sure how to compare the tradeoffs between some more complicated logic (
isinstance()CPU time) and leaving it as is. It seems if we did wrapping of only the types thatValue()wraps, it should be safe, unless the logic in Value() is deficient. And are there any string values besides those that start with $ that could be problematic? Perhaps to be discussed in chat tomorrow.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔 I agree. Seeing $literal everywhere is annoying, but Value's resolver is probably covering the most common types used in queries. On the other hand, implementing the same escaping logic that Value uses is not a big deal.