Refs CVE-2022-34265 -- Properly escaped Extract() and Trunc() parameters.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
author: Simon Charette <charette.s@gmail.com> 2022-06-19 23:46:22 -0400
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-07-06 07:40:07 +0200
commit: 877c800f255ccaa7abde1fb944de45d1616f5cc9 (patch)
tree: 1fd6fa46ea847249eab6339213d4de5ee8f05f65 /tests/db_functions
parent: 73766c118781a7f7052bf0a5fbee38b944964e31 (diff)
download: django-877c800f255ccaa7abde1fb944de45d1616f5cc9.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/tests/db_functions/datetime/test_extract_trunc.py b/tests/db_functions/datetime/test_extract_trunc.py
index bb70ed6094..00e3897e68 100644
--- a/tests/db_functions/datetime/test_extract_trunc.py
+++ b/tests/db_functions/datetime/test_extract_trunc.py
@@ -13,6 +13,7 @@ except ImportError:
     pytz = None
 
 from django.conf import settings
+from django.db import DataError, OperationalError
 from django.db.models import (
     DateField,
     DateTimeField,
@@ -244,8 +245,7 @@ class DateFunctionTests(TestCase):
         self.create_model(start_datetime, end_datetime)
         self.create_model(end_datetime, start_datetime)
 
-        msg = "Invalid lookup_name: "
-        with self.assertRaisesMessage(ValueError, msg):
+        with self.assertRaises((DataError, OperationalError, ValueError)):
             DTModel.objects.filter(
                 start_datetime__year=Extract(
                     "start_datetime", "day' FROM start_datetime)) OR 1=1;--"
@@ -940,14 +940,18 @@ class DateFunctionTests(TestCase):
             end_datetime = timezone.make_aware(end_datetime)
         self.create_model(start_datetime, end_datetime)
         self.create_model(end_datetime, start_datetime)
-        msg = "Invalid kind: "
-        with self.assertRaisesMessage(ValueError, msg):
-            DTModel.objects.filter(
+        # Database backends raise an exception or don't return any results.
+        try:
+            exists = DTModel.objects.filter(
                 start_datetime__date=Trunc(
                     "start_datetime",
                     "year', start_datetime)) OR 1=1;--",
                 )
             ).exists()
+        except (DataError, OperationalError):
+            pass
+        else:
+            self.assertIs(exists, False)
 
     def test_trunc_func(self):
         start_datetime = datetime(999, 6, 15, 14, 30, 50, 321)
author	Simon Charette <charette.s@gmail.com>	2022-06-19 23:46:22 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-07-06 07:40:07 +0200
commit	877c800f255ccaa7abde1fb944de45d1616f5cc9 (patch)
tree	1fd6fa46ea847249eab6339213d4de5ee8f05f65 /tests/db_functions
parent	73766c118781a7f7052bf0a5fbee38b944964e31 (diff)
download	django-877c800f255ccaa7abde1fb944de45d1616f5cc9.tar.gz