[Django] #36778: Extend admonition to avoid constructing query expressions from unsanitized user input
21 views
Skip to first unread message
Django
Dec 5, 2025, 3:24:07 PM12/5/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version:
Documentation | Keywords: Func, sql,
Severity: Normal | injection
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team occasionally receives reports where a proof of concept
pipes unsanitized user input directly to a query expression argument
traditionally regarded as statically configured and thus developer-
controlled.
We haven't accepted these as vulnerabilities, because each case we've
confronted has a clear domain to validate (e.g. positive integers) that a
garden-variety form or serializer would handle, as opposed to anything
that would require the db adapter to escape.
We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions
/#avoiding-sql-injection clearly documented in the Func API] where
positional arguments can be user-driven but keyword arguments get
interpolated directly into SQL (beware!), but this is potentially muddled
by the inconsistency where some subclasses allow positional arguments for
convenience but then pass that on to `Func()` via keyword (beware!)
Working on a way to clarify this in the Func docs and cross-link from the
security reporting guidelines.
--
Ticket URL: <https://code.djangoproject.com/ticket/36778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
user input
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version:
Documentation | Keywords: Func, sql,
Severity: Normal | injection
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team occasionally receives reports where a proof of concept
pipes unsanitized user input directly to a query expression argument
traditionally regarded as statically configured and thus developer-
controlled.
We haven't accepted these as vulnerabilities, because each case we've
confronted has a clear domain to validate (e.g. positive integers) that a
garden-variety form or serializer would handle, as opposed to anything
that would require the db adapter to escape.
We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions
/#avoiding-sql-injection clearly documented in the Func API] where
positional arguments can be user-driven but keyword arguments get
interpolated directly into SQL (beware!), but this is potentially muddled
by the inconsistency where some subclasses allow positional arguments for
convenience but then pass that on to `Func()` via keyword (beware!)
Working on a way to clarify this in the Func docs and cross-link from the
security reporting guidelines.
--
Ticket URL: <https://code.djangoproject.com/ticket/36778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 5, 2025, 3:39:39 PM12/5/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
user input
-------------------------------------+-------------------------------------
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* keywords: Func, sql, injection => Func, sql, injection, extra, rawsql
* stage: Unreviewed => Accepted
* version: => dev
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:1>
Django
Dec 5, 2025, 3:39:44 PM12/5/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Thank you!
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:2>
Django
Dec 5, 2025, 3:45:43 PM12/5/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/20376 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:3>
Django
Dec 6, 2025, 9:52:38 AM12/6/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* needs_better_patch: 0 => 1
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:4>
Django
Dec 8, 2025, 9:18:52 AM12/8/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Accepted
injection, extra, rawsql |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* needs_better_patch: 1 => 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:5>
Django
Dec 8, 2025, 10:24:45 AM12/8/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: Func, sql, | Triage Stage: Ready for
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
injection, extra, rawsql | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Clifford Gama):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:6>
Django
Dec 8, 2025, 10:25:36 AM12/8/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: Func, sql, | Triage Stage: Ready for
injection, extra, rawsql | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):
injection, extra, rawsql | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"334308efae8e0c7b1523d5583af32b674a098eba" 334308e]:
{{{#!CommitTicketReference repository=""
revision="334308efae8e0c7b1523d5583af32b674a098eba"
Fixed #36778 -- Extended advice to sanitize input before using in query
expressions.
Thanks Clifford Gama and Simon Charette for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:7>
Django
Dec 8, 2025, 10:26:47 AM12/8/25
to django-...@googlegroups.com
#36778: Extend admonition to avoid constructing query expressions from unsanitized
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: Func, sql, | Triage Stage: Ready for
injection, extra, rawsql | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
user input
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: Func, sql, | Triage Stage: Ready for
injection, extra, rawsql | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"189dcb1002ef6582cfc8074c09cb6e47d6034dd8" 189dcb1]:
{{{#!CommitTicketReference repository=""
revision="189dcb1002ef6582cfc8074c09cb6e47d6034dd8"
[6.0.x] Fixed #36778 -- Extended advice to sanitize input before using in
query expressions.
Thanks Clifford Gama and Simon Charette for reviews.
Backport of 334308efae8e0c7b1523d5583af32b674a098eba from main.
Thanks Clifford Gama and Simon Charette for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36778#comment:8>
Reply all
Reply to author
Forward
0 new messages