source/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2026-02-09 02:49:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed #36778 -- Extended advice to sanitize input before using in query expressions.

Browse Source 
Thanks Clifford Gama and Simon Charette for reviews.
This commit is contained in:
Jacob Walls
2025-12-05 15:32:56 -05:00
parent af60ae48d9
commit 334308efae
3 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/internals/security.txt
View File

@@ -111,9 +111,11 @@ validated::
return JsonResponse(status=200)
return JsonResponse(form.errors, status=400)
Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and
:class:`.RawSQL` expression) provide developers with full control over the
query, they are insecure if user input is not properly handled. As explained in
Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`,
:class:`.RawSQL`, and :ref:`keyword arguments to database functions
<avoiding-sql-injection-in-query-expressions>`) provide developers with full
control over the query, they are insecure if user input is not properly
handled. As explained in
our :ref:`security documentation <sql-injection-protection>`, it is the
developer's responsibility to safely process user input for these functions.

3
docs/ref/models/database-functions.txt
View File

@@ -9,7 +9,8 @@ The classes documented below provide a way for users to use functions provided
by the underlying database as annotations, aggregations, or filters in Django.
Functions are also :doc:`expressions </ref/models/expressions>`, so they can be
used and combined with other expressions like :ref:`aggregate functions
<aggregation-functions>`.
<aggregation-functions>`. See the :class:`~django.db.models.Func` documentation
for security considerations.
We'll be using the following model in examples of each function::

10
docs/ref/models/expressions.txt
View File

@@ -434,6 +434,16 @@ replace the attributes of the same name without having to define your own
class. :ref:`output_field<output-field>` can be used to define the expected
return type.
.. admonition:: Sanitize input used to configure a query expression
Built-in database functions (such as
:class:`~django.db.models.functions.Cast`) vary in whether arguments such
as ``output_field`` can be supplied positionally or only by keyword. For
``output_field`` and several other cases, the input ultimately reaches
``Func()`` as a keyword argument, so the advice to avoid constructing
keyword arguments from untrusted user input applies as equally to these
arguments as it does to ``**extra``.
``Aggregate()`` expressions
---------------------------