INTPYTHON-827 Prevent Value strings from being interpreted as expressions

Author: WaVEV

django_mongodb_backend/expressions/builtins.py

@@ -211,9 +211,9 @@ def when(self, compiler, connection):
 
 def value(self, compiler, connection, as_expr=False):  # noqa: ARG001
     value = self.value
-    if isinstance(value, (list, int)) and as_expr:
-        # Wrap lists & numbers in $literal to prevent ambiguity when Value
-        # appears in $project.
+    if isinstance(value, (list, int, str)) and as_expr:
+        # Wrap lists, numbers, and strings in $literal to avoid ambiguity when
+        # Value is used in aggregate() or update_many()'s $set.
         return {"$literal": value}
     if isinstance(value, Decimal):
         return Decimal128(value)

docs/releases/5.2.x.rst

@@ -17,6 +17,8 @@ Bug fixes
 
 - Prevented ``QuerySet.union()`` queries from duplicating the ``$project``
   pipeline.
+- Made :class:`~django.db.models.Value` wrap strings in ``$literal`` to
+  prevent dollar-prefixed strings from being interpreted as expressions.
 
 Performance improvements
 ------------------------

tests/basic_/test_escaping.py

@@ -1,5 +1,8 @@
 """Literals that MongoDB intreprets as expressions are escaped."""
 
+from operator import attrgetter
+
+from django.db.models import Value
 from django.test import TestCase
 
 from django_mongodb_backend.test import MongoTestCaseMixin
@@ -18,3 +21,17 @@ def test_dollar_prefixed_string(self):
         self.assertInsertQuery(
             ctx.captured_queries[0]["sql"], "basic__author", [{"name": "$foobar"}]
         )
+
+
+class AnnotationTests(MongoTestCaseMixin, TestCase):
+    def test_dollar_prefixed_value(self):
+        """Value() escapes dollar prefixed strings."""
+        Author.objects.create(name="Gustavo")
+        with self.assertNumQueries(1) as ctx:
+            qs = list(Author.objects.annotate(a_value=Value("$name")))
+        self.assertQuerySetEqual(qs, ["$name"], attrgetter("a_value"))
+        self.assertAggregateQuery(
+            ctx.captured_queries[0]["sql"],
+            "basic__author",
+            [{"$project": {"a_value": {"$literal": "$name"}, "_id": 1, "name": 1}}],
+        )

tests/expressions_/test_value.py

@@ -41,6 +41,9 @@ def test_int(self):
     def test_str(self):
         self.assertEqual(Value("foo").as_mql(None, None), "foo")
 
+    def test_str_expr(self):
+        self.assertEqual(Value("$foo").as_mql(None, None, as_expr=True), {"$literal": "$foo"})
+
     def test_uuid(self):
         value = uuid.UUID(int=1)
         self.assertEqual(Value(value).as_mql(None, None), "00000000000000000000000000000001")

tests/model_fields_/test_embedded_model_array.py

@@ -327,8 +327,18 @@ def test_nested_array_index_expr(self):
                                                     },
                                                     {
                                                         "$concat": [
-                                                            {"$ifNull": ["Z", ""]},
-                                                            {"$ifNull": ["acarias", ""]},
+                                                            {
+                                                                "$ifNull": [
+                                                                    {"$literal": "Z"},
+                                                                    {"$literal": ""},
+                                                                ]
+                                                            },
+                                                            {
+                                                                "$ifNull": [
+                                                                    {"$literal": "acarias"},
+                                                                    {"$literal": ""},
+                                                                ]
+                                                            },
                                                         ]
                                                     },
                                                 ]