[Django] #36996: Apps registry public API methods lack input validation
2 views
Skip to first unread message
Django
Mar 20, 2026, 4:58:13 PM (9 hours ago) Mar 20
to django-...@googlegroups.com
#36996: Apps registry public API methods lack input validation
------------------------+------------------------------------------------
Reporter: atdash | Type: Cleanup/optimization
Status: new | Component: Core (Other)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------+------------------------------------------------
The Apps class in django.apps.registry accepts arbitrary argument types on
its public API methods. Passing a non-string or empty string produces
confusing errors deep in the call stack rather than clear messages at the
API boundary.
For example, apps.get_app_config(42) raises KeyError: 42 from the dict
lookup inside the method. With validation, it would raise TypeError:
app_label must be a string, not int. at the entry point.
Affected methods: get_app_config(), get_model(), register_model(),
is_installed(), lazy_model_operation().
I can submit a PR that already passed your tests, other than not having
created a ticket first! :)
Nicholas
--
Ticket URL: <https://code.djangoproject.com/ticket/36996>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
------------------------+------------------------------------------------
Reporter: atdash | Type: Cleanup/optimization
Status: new | Component: Core (Other)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------+------------------------------------------------
The Apps class in django.apps.registry accepts arbitrary argument types on
its public API methods. Passing a non-string or empty string produces
confusing errors deep in the call stack rather than clear messages at the
API boundary.
For example, apps.get_app_config(42) raises KeyError: 42 from the dict
lookup inside the method. With validation, it would raise TypeError:
app_label must be a string, not int. at the entry point.
Affected methods: get_app_config(), get_model(), register_model(),
is_installed(), lazy_model_operation().
I can submit a PR that already passed your tests, other than not having
created a ticket first! :)
Nicholas
--
Ticket URL: <https://code.djangoproject.com/ticket/36996>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Mar 20, 2026, 5:37:44 PM (8 hours ago) Mar 20
to django-...@googlegroups.com
#36996: Apps registry public API methods lack input validation
-------------------------------------+-------------------------------------
Reporter: Nicholas Salzman | Owner: (none)
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 6.0
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* resolution: => invalid
* status: new => closed
Comment:
The Django public API has hundreds of methods that can crash if you
provide it the inadequate type, we can't gate them all with `isinstance`
check.
Unless you can provide a real world example where this is an issue (e.g. a
documented use case that isn't explicit about a proper app label needing
to be provided) I don't see the value of peppering this particular API
with instance type checks as there are projects that provide typing stubs
for Django already and [https://github.com/typeddjango/django-
stubs/blob/87a23420767475ca3021f4f1a25887d3477d3dbb/django-
stubs/apps/registry.pyi they have pretty good coverage for this API].
--
Ticket URL: <https://code.djangoproject.com/ticket/36996#comment:1>
Reply all
Reply to author
Forward
0 new messages