[Django] #36778: Extend admonition to avoid constructing query expressions from unsanitized user input

Fri, 05 Dec 2025 12:24:08 -0800 

#36778: Extend admonition to avoid constructing query expressions from 
unsanitized
user input
-------------------------------------+-------------------------------------
               Reporter:  Jacob      |          Owner:  Jacob Walls
  Walls                              |
                   Type:             |         Status:  assigned
  Cleanup/optimization               |
              Component:             |        Version:
  Documentation                      |       Keywords:  Func, sql,
               Severity:  Normal     |  injection
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 The Security Team occasionally receives reports where a proof of concept
 pipes unsanitized user input directly to a query expression argument
 traditionally regarded as statically configured and thus developer-
 controlled.

 We haven't accepted these as vulnerabilities, because each case we've
 confronted has a clear domain to validate (e.g. positive integers) that a
 garden-variety form or serializer would handle, as opposed to anything
 that would require the db adapter to escape.

 We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions
 /#avoiding-sql-injection clearly documented in the Func API] where
 positional arguments can be user-driven but keyword arguments get
 interpolated directly into SQL (beware!), but this is potentially muddled
 by the inconsistency where some subclasses allow positional arguments for
 convenience but then pass that on to `Func()` via keyword (beware!)

 Working on a way to clarify this in the Func docs and cross-link from the
 security reporting guidelines.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019af02f9266-814a60e8-5e92-44b3-8669-35c058d0f6f0-000000%40eu-central-1.amazonses.com.

Reply via email to