diff options
author | Will Holley <willholley@gmail.com> | 2017-11-23 10:26:07 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-23 10:26:07 +0100 |
commit | a406cc0b6f9ebd1e7aecd258b2b015daab9393e0 (patch) | |
tree | 4a1983d0992e6ccd69bfdd6ec93e5da345d0b226 | |
parent | ede5dd9675285157410311aa8e2ed01c7f5e597e (diff) | |
download | couchdb-a406cc0b6f9ebd1e7aecd258b2b015daab9393e0.tar.gz |
Test duplicate fields in Mango selector (#998)
Adds a test to verify the behaviour of duplicate
fields in a Mango selector.
The fix for CVE-2017-12635 resulted in CouchDB's
JSON parser only recognising the last instance
of duplicated fields in a JSON object. This
represents a breaking change to Mango (_find)
because, previuously, all instances would have
been considered when evaluating a selector.
This test verifies that Mango now only considers
the last instance of a field, silently ignoring
those that appear before it.
TBD whether we can or should show an error when
this occurs, since this leads to predicates
silently being ignored.
-rw-r--r-- | src/mango/test/02-basic-find-test.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/mango/test/02-basic-find-test.py b/src/mango/test/02-basic-find-test.py index 82554a112..f7e151ad8 100644 --- a/src/mango/test/02-basic-find-test.py +++ b/src/mango/test/02-basic-find-test.py @@ -159,6 +159,18 @@ class BasicFindTests(mango.UserDocsTests): assert len(docs) == 1 assert docs[0]["user_id"] == 7 + def test_multi_cond_duplicate_field(self): + # need to explicitly define JSON as dict won't allow duplicate keys + body = ("{\"selector\":{\"location.city\":{\"$regex\": \"^L+\"}," + "\"location.city\":{\"$exists\":true}}}") + r = self.db.sess.post(self.db.path("_find"), data=body) + r.raise_for_status() + docs = r.json()["docs"] + + # expectation is that only the second instance + # of the "location.city" field is used + self.assertEqual(len(docs), 15) + def test_multi_cond_or(self): docs = self.db.find({ "$and":[ |