From: Mike Bayer <mike_mp@zzzcomputing.com>
Date: Tue, 18 Jan 2022 22:19:24 +0000 (-0500)
Subject: reject methods as lambda SQL callables
X-Git-Tag: rel_1_4_30~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=692d05a5cc15cf3947055e9089b86ed99be3da46;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git

reject methods as lambda SQL callables

Added an informative error message when a method object is passed to a SQL
construct. Previously, when such a callable were passed, as is a common
typographical error when dealing with method-chained SQL constructs, they
were interpreted as "lambda SQL" targets to be invoked at compilation time,
which would lead to silent failures. As this feature was not intended to be
used with methods, method objects are now rejected.

Fixes: #7032
Change-Id: If714715bd8c11557ab769ee3b1a24264b0b06acc
(cherry picked from commit e28ec27b599558b3e26ced106a972e8b4aa9e668)
---

diff --git a/doc/build/changelog/unreleased_14/7032.rst b/doc/build/changelog/unreleased_14/7032.rst
new file mode 100644
index 0000000000..c837be4944
--- /dev/null
+++ b/doc/build/changelog/unreleased_14/7032.rst
@@ -0,0 +1,10 @@
+.. change::
+    :tags: bug, sql
+    :tickets: 7032
+
+    Added an informative error message when a method object is passed to a SQL
+    construct. Previously, when such a callable were passed, as is a common
+    typographical error when dealing with method-chained SQL constructs, they
+    were interpreted as "lambda SQL" targets to be invoked at compilation time,
+    which would lead to silent failures. As this feature was not intended to be
+    used with methods, method objects are now rejected.
diff --git a/lib/sqlalchemy/sql/lambdas.py b/lib/sqlalchemy/sql/lambdas.py
index e22f871671..5f91559987 100644
--- a/lib/sqlalchemy/sql/lambdas.py
+++ b/lib/sqlalchemy/sql/lambdas.py
@@ -5,6 +5,7 @@
 # This module is part of SQLAlchemy and is released under
 # the MIT License: https://www.opensource.org/licenses/mit-license.php
 
+import inspect
 import itertools
 import operator
 import sys
@@ -619,6 +620,10 @@ class AnalyzedCode(object):
         return analyzed
 
     def __init__(self, fn, lambda_element, opts):
+        if inspect.ismethod(fn):
+            raise exc.ArgumentError(
+                "Method %s may not be passed as a SQL expression" % fn
+            )
         closure = fn.__closure__
 
         self.track_bound_values = (
diff --git a/test/sql/test_lambdas.py b/test/sql/test_lambdas.py
index 76be0af3ce..29e1258efb 100644
--- a/test/sql/test_lambdas.py
+++ b/test/sql/test_lambdas.py
@@ -8,6 +8,7 @@ from sqlalchemy.sql import and_
 from sqlalchemy.sql import bindparam
 from sqlalchemy.sql import coercions
 from sqlalchemy.sql import column
+from sqlalchemy.sql import func
 from sqlalchemy.sql import join
 from sqlalchemy.sql import lambda_stmt
 from sqlalchemy.sql import lambdas
@@ -38,6 +39,26 @@ class LambdaElementTest(
 ):
     __dialect__ = "default"
 
+    def test_reject_methods(self):
+        """test #7032"""
+
+        t1 = table("t1", column("q"), column("p"))
+
+        subq = select(t1).subquery
+
+        with expect_raises_message(
+            exc.ArgumentError,
+            "Method <bound method Select.*.subquery .* may not be "
+            "passed as a SQL expression",
+        ):
+            select(func.count()).select_from(subq)
+
+        self.assert_compile(
+            select(func.count()).select_from(subq()),
+            "SELECT count(*) AS count_1 FROM "
+            "(SELECT t1.q AS q, t1.p AS p FROM t1) AS anon_1",
+        )
+
     def test_select_whereclause(self):
         t1 = table("t1", column("q"), column("p"))