From fd393907c91e855acbd6f7a287bdc8e951c328e8 Mon Sep 17 00:00:00 2001
From: Simon Charette <simon.charette@zapier.com>
Date: Sun, 15 Sep 2019 23:25:50 -0400
Subject: [PATCH] [1.11.x] Fixed #30769 -- Fixed a crash when filtering against
 a subquery JSON/HStoreField annotation.

This was a regression introduced by 7deeabc7c7526786df6894429ce89a9c4b614086
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba89215fc56fc27ef61829a6fff88be4abb from master.
---
 django/contrib/postgres/fields/hstore.py | 2 +-
 django/contrib/postgres/fields/jsonb.py  | 2 +-
 docs/releases/1.11.25.txt                | 4 +++-
 tests/postgres_tests/test_hstore.py      | 8 +++++++-
 tests/postgres_tests/test_json.py        | 8 +++++++-
 5 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/django/contrib/postgres/fields/hstore.py b/django/contrib/postgres/fields/hstore.py
index e2c4a2b338..5ddb10e584 100644
--- a/django/contrib/postgres/fields/hstore.py
+++ b/django/contrib/postgres/fields/hstore.py
@@ -86,7 +86,7 @@ class KeyTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '(%s -> %%s)' % lhs, params + [self.key_name]
+        return '(%s -> %%s)' % lhs, tuple(params) + (self.key_name,)
 
 
 class KeyTransformFactory(object):
diff --git a/django/contrib/postgres/fields/jsonb.py b/django/contrib/postgres/fields/jsonb.py
index bf1b4ee1a7..559fc5ba4e 100644
--- a/django/contrib/postgres/fields/jsonb.py
+++ b/django/contrib/postgres/fields/jsonb.py
@@ -107,7 +107,7 @@ class KeyTransform(Transform):
             lookup = int(self.key_name)
         except ValueError:
             lookup = self.key_name
-        return '(%s %s %%s)' % (lhs, self.operator), params + [lookup]
+        return '(%s %s %%s)' % (lhs, self.operator), tuple(params) + (lookup,)
 
 
 class KeyTextTransform(KeyTransform):
diff --git a/docs/releases/1.11.25.txt b/docs/releases/1.11.25.txt
index 4195e8cbe0..0e9e2d7ee5 100644
--- a/docs/releases/1.11.25.txt
+++ b/docs/releases/1.11.25.txt
@@ -9,4 +9,6 @@ Django 1.11.25 fixes a regression in 1.11.23.
 Bugfixes
 ========
 
-* ...
+* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset
+  containing :class:`~django.contrib.postgres.fields.JSONField` or
+  :class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`).
diff --git a/tests/postgres_tests/test_hstore.py b/tests/postgres_tests/test_hstore.py
index 3ac68e1e69..acad950fbb 100644
--- a/tests/postgres_tests/test_hstore.py
+++ b/tests/postgres_tests/test_hstore.py
@@ -5,7 +5,7 @@ import json
 
 from django.core import exceptions, serializers
 from django.db import connection
-from django.db.models.expressions import RawSQL
+from django.db.models.expressions import OuterRef, RawSQL, Subquery
 from django.forms import Form
 from django.test.utils import CaptureQueriesContext, modify_settings
 
@@ -189,6 +189,12 @@ class TestQuerying(HStoreTestCase):
             queries[0]['sql'],
         )
 
+    def test_obj_subquery_lookup(self):
+        qs = HStoreModel.objects.annotate(
+            value=Subquery(HStoreModel.objects.filter(pk=OuterRef('pk')).values('field')),
+        ).filter(value__a='b')
+        self.assertSequenceEqual(qs, self.objs[:2])
+
 
 class TestSerialization(HStoreTestCase):
     test_data = ('[{"fields": {"field": "{\\"a\\": \\"b\\"}"}, '
diff --git a/tests/postgres_tests/test_json.py b/tests/postgres_tests/test_json.py
index ead2c68df7..b8b5dd481f 100644
--- a/tests/postgres_tests/test_json.py
+++ b/tests/postgres_tests/test_json.py
@@ -7,7 +7,7 @@ from decimal import Decimal
 from django.core import exceptions, serializers
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import connection
-from django.db.models import F
+from django.db.models import F, OuterRef, Subquery
 from django.db.models.expressions import RawSQL
 from django.db.models.functions import Cast
 from django.forms import CharField, Form, widgets
@@ -222,6 +222,12 @@ class TestQuerying(PostgreSQLTestCase):
             [self.objs[7], self.objs[8]]
         )
 
+    def test_obj_subquery_lookup(self):
+        qs = JSONModel.objects.annotate(
+            value=Subquery(JSONModel.objects.filter(pk=OuterRef('pk')).values('field')),
+        ).filter(value__a='b')
+        self.assertSequenceEqual(qs, [self.objs[7], self.objs[8]])
+
     def test_deep_lookup_objs(self):
         self.assertSequenceEqual(
             JSONModel.objects.filter(field__k__l='m'),