Commit334308e

committed

Fixed #36778 -- Extended advice to sanitize input before using in query expressions.

Thanks Clifford Gama and Simon Charette for reviews.

1 parentaf60ae4 commit334308eCopy full SHA for 334308e

File tree

+17

-4

lines changed

+17

-4

lines changed

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -111,9 +111,11 @@ validated::`
`111`	`111`	`return JsonResponse(status=200)`
`112`	`112`	`return JsonResponse(form.errors, status=400)`
`113`	`113`
`114`		-Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and
`115`		-:class:`.RawSQL` expression) provide developers with full control over the
`116`		`-query, they are insecure if user input is not properly handled. As explained in`
	`114`	+Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`,
	`115`	+:class:`.RawSQL`, and :ref:`keyword arguments to database functions
	`116`	+<avoiding-sql-injection-in-query-expressions>`) provide developers with full
	`117`	`+control over the query, they are insecure if user input is not properly`
	`118`	`+handled. As explained in`
`117`	`119`	our :ref:`security documentation <sql-injection-protection>`, it is the
`118`	`120`	`developer's responsibility to safely process user input for these functions.`
`119`	`121`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@ The classes documented below provide a way for users to use functions provided`
`9`	`9`	`by the underlying database as annotations, aggregations, or filters in Django.`
`10`	`10`	Functions are also :doc:`expressions </ref/models/expressions>`, so they can be
`11`	`11`	used and combined with other expressions like :ref:`aggregate functions
`12`		-<aggregation-functions>`.
	`12`	+<aggregation-functions>`. See the :class:`~django.db.models.Func` documentation
	`13`	`+for security considerations.`
`13`	`14`
`14`	`15`	`We'll be using the following model in examples of each function::`
`15`	`16`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -434,6 +434,16 @@ replace the attributes of the same name without having to define your own`
`434`	`434`	class. :ref:`output_field<output-field>` can be used to define the expected
`435`	`435`	`return type.`
`436`	`436`
	`437`	`+.. admonition:: Sanitize input used to configure a query expression`
	`438`	`+`
	`439`	`+ Built-in database functions (such as`
	`440`	+ :class:`~django.db.models.functions.Cast`) vary in whether arguments such
	`441`	+ as ``output_field`` can be supplied positionally or only by keyword. For
	`442`	+ ``output_field`` and several other cases, the input ultimately reaches
	`443`	+ ``Func()`` as a keyword argument, so the advice to avoid constructing
	`444`	`+ keyword arguments from untrusted user input applies as equally to these`
	`445`	+ arguments as it does to ``**extra``.
	`446`	`+`
`437`	`447`	``Aggregate()`` expressions
`438`	`448`	`---------------------------`
`439`	`449`

Comments

(0)