Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Django's RawSQL raises error if you use kwargs rather than args #764

Closed
kevinmarsh opened this issue Dec 13, 2021 · 0 comments · Fixed by #765
Closed

Django's RawSQL raises error if you use kwargs rather than args #764

kevinmarsh opened this issue Dec 13, 2021 · 0 comments · Fixed by #765
Labels
bug Something isn't working

Comments

@kevinmarsh
Copy link
Contributor

kevinmarsh commented Dec 13, 2021
edited

Describe the bug

An IndexError: list index out of range error is raised if you try to run bandit RawSQL with keyword arguments:

RawSQL(sql='{}secure'.format('no'), params=[])

but runs as expected on positional args:

RawSQL('{}secure'.format('no'), [])

Reproduction steps

1. `echo -e "from django.db.models.expressions import RawSQL\nRawSQL(sql='{}secure'.format('no'), params=[])" > /tmp/bad-bandit.py`
2. `bandit /tmp/bad-bandit.py`
3. Bandit internal error gets printed out and the security issue isn't flagged
...

Expected behavior

Positional args and keyword args should both be supported

Bandit version

1.7.1 (Default)

Python version

3.9 (Default)

Additional context

No response
@kevinmarsh kevinmarsh added the bug Something isn't working label Dec 13, 2021
kevinmarsh added a commit to kevinmarsh/bandit that referenced this issue Dec 13, 2021
@kevinmarsh
django_rawsql_used: support keyword arguments used in RawSQL
e07b9f7 
Fix rule B611: django_rawsql_used breaking when a user passes in
keyword arguments to Django's `RawSQL`.

Closes PyCQA#764
@kevinmarsh kevinmarsh mentioned this issue Dec 13, 2021
Merged
kevinmarsh added a commit to kevinmarsh/bandit that referenced this issue Jan 31, 2022
@kevinmarsh
django_rawsql_used: support keyword arguments used in RawSQL
d18982b 
Fix rule B611: django_rawsql_used breaking when a user passes in
keyword arguments to Django's `RawSQL`.

Resolves: PyCQA#764
kevinmarsh added a commit to kevinmarsh/bandit that referenced this issue Jun 6, 2022
@kevinmarsh
django_rawsql_used: support keyword arguments used in RawSQL
c79b679 
Fix rule B611: django_rawsql_used breaking when a user passes in
keyword arguments to Django's `RawSQL`.

Resolves: PyCQA#764
kevinmarsh added a commit to kevinmarsh/bandit that referenced this issue Jul 24, 2023
@kevinmarsh
django_rawsql_used: support keyword arguments used in RawSQL
f2f46cc 
Fix rule B611: django_rawsql_used breaking when a user passes in
keyword arguments to Django's `RawSQL`.

Resolves: PyCQA#764
sigmavirus24 pushed a commit that referenced this issue Jul 24, 2023
@kevinmarsh
django_rawsql_used: support keyword arguments used in RawSQL (#765)
c420d1d 
Fix rule B611: django_rawsql_used breaking when a user passes in
keyword arguments to Django's `RawSQL`.

Resolves: #764
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

django_rawsql_used: support keyword arguments used in RawSQL kevinmarsh/bandit
1 participant
@kevinmarsh