[2.1.x] Fixed #30769 -- Fixed a crash when filtering against a subque…

…ry JSON/HStoreField annotation.

This was a regression introduced by 7deeabc
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba from master.

django/contrib/postgres/fields/hstore.py

@@ -86,7 +86,7 @@ def __init__(self, key_name, *args, **kwargs):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '(%s -> %%s)' % lhs, params + [self.key_name]
+        return '(%s -> %%s)' % lhs, tuple(params) + (self.key_name,)
 
 
 class KeyTransformFactory:

django/contrib/postgres/fields/jsonb.py

@@ -112,7 +112,7 @@ def as_sql(self, compiler, connection):
             lookup = int(self.key_name)
         except ValueError:
             lookup = self.key_name
-        return '(%s %s %%s)' % (lhs, self.operator), params + [lookup]
+        return '(%s %s %%s)' % (lhs, self.operator), tuple(params) + (lookup,)
 
 
 class KeyTextTransform(KeyTransform):

docs/releases/1.11.25.txt

@@ -9,4 +9,6 @@ Django 1.11.25 fixes a regression in 1.11.23.
 Bugfixes
 ========
 
-* ...
+* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset
+  containing :class:`~django.contrib.postgres.fields.JSONField` or
+  :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`).

docs/releases/2.1.13.txt

@@ -9,4 +9,6 @@ Django 2.1.13 fixes a regression in 2.1.11.
 Bugfixes
 ========
 
-* ...
+* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset
+  containing :class:`~django.contrib.postgres.fields.JSONField` or
+  :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`).

tests/postgres_tests/test_hstore.py

@@ -2,7 +2,7 @@
 
 from django.core import checks, exceptions, serializers
 from django.db import connection
-from django.db.models.expressions import RawSQL
+from django.db.models.expressions import OuterRef, RawSQL, Subquery
 from django.forms import Form
 from django.test.utils import (
     CaptureQueriesContext, isolate_apps, modify_settings,
@@ -213,6 +213,12 @@ def test_key_sql_injection(self):
             queries[0]['sql'],
         )
 
+    def test_obj_subquery_lookup(self):
+        qs = HStoreModel.objects.annotate(
+            value=Subquery(HStoreModel.objects.filter(pk=OuterRef('pk')).values('field')),
+        ).filter(value__a='b')
+        self.assertSequenceEqual(qs, self.objs[:2])
+
 
 @isolate_apps('postgres_tests')
 class TestChecks(PostgreSQLTestCase):

tests/postgres_tests/test_json.py

@@ -5,7 +5,7 @@
 from django.core import checks, exceptions, serializers
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import connection
-from django.db.models import F, Q
+from django.db.models import F, OuterRef, Q, Subquery
 from django.db.models.expressions import RawSQL
 from django.db.models.functions import Cast
 from django.forms import CharField, Form, widgets
@@ -256,6 +256,12 @@ def test_shallow_obj_lookup(self):
             [self.objs[7], self.objs[8]]
         )
 
+    def test_obj_subquery_lookup(self):
+        qs = JSONModel.objects.annotate(
+            value=Subquery(JSONModel.objects.filter(pk=OuterRef('pk')).values('field')),
+        ).filter(value__a='b')
+        self.assertSequenceEqual(qs, [self.objs[7], self.objs[8]])
+
     def test_deep_lookup_objs(self):
         self.assertSequenceEqual(
             JSONModel.objects.filter(field__k__l='m'),