[Django] #36778: Extend admonition to avoid constructing query expressions from unsanitized user input
1 view
Skip to first unread message
Django
3:24 PM (3 hours ago) 3:24 PM
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version:
Documentation | Keywords: Func, sql,
Severity: Normal | injection
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team occasionally receives reports where a proof of concept
pipes unsanitized user input directly to a query expression argument
traditionally regarded as statically configured and thus developer-
controlled.
We haven't accepted these as vulnerabilities, because each case we've
confronted has a clear domain to validate (e.g. positive integers) that a
garden-variety form or serializer would handle, as opposed to anything
that would require the db adapter to escape.
We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions
/#avoiding-sql-injection clearly documented in the Func API] where
positional arguments can be user-driven but keyword arguments get
interpolated directly into SQL (beware!), but this is potentially muddled
by the inconsistency where some subclasses allow positional arguments for
convenience but then pass that on to `Func()` via keyword (beware!)
Working on a way to clarify this in the Func docs and cross-link from the
security reporting guidelines.
--
Ticket URL: <https://code.djangoproject.com/ticket/36778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
user input
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version:
Documentation | Keywords: Func, sql,
Severity: Normal | injection
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team occasionally receives reports where a proof of concept
pipes unsanitized user input directly to a query expression argument
traditionally regarded as statically configured and thus developer-
controlled.
We haven't accepted these as vulnerabilities, because each case we've
confronted has a clear domain to validate (e.g. positive integers) that a
garden-variety form or serializer would handle, as opposed to anything
that would require the db adapter to escape.
We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions
/#avoiding-sql-injection clearly documented in the Func API] where
positional arguments can be user-driven but keyword arguments get
interpolated directly into SQL (beware!), but this is potentially muddled
by the inconsistency where some subclasses allow positional arguments for
convenience but then pass that on to `Func()` via keyword (beware!)
Working on a way to clarify this in the Func docs and cross-link from the
security reporting guidelines.
--
Ticket URL: <https://code.djangoproject.com/ticket/36778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
3:39 PM (3 hours ago) 3:39 PM
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
user input
-------------------------------------+-------------------------------------
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* keywords: Func, sql, injection => Func, sql, injection, extra, rawsql
* stage: Unreviewed => Accepted
* version: => dev
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:1>
Django
3:39 PM (3 hours ago) 3:39 PM
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Thank you!
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:2>
Django
3:45 PM (3 hours ago) 3:45 PM
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/20376 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:3>
Reply all
Reply to author
Forward
0 new messages