/
query-set-extra.yaml
33 lines (33 loc) · 1.15 KB
/
query-set-extra.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rules:
- id: avoid-query-set-extra
message: >-
QuerySet.extra' does not provide safeguards against SQL injection and requires
very careful use. SQL injection can lead to critical data being stolen by attackers.
Instead of using '.extra', use the Django ORM and parameterized queries such as
`People.objects.get(name='Bob')`.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra
- https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
languages:
- python
severity: WARNING
patterns:
- pattern: $MODEL.extra(...)
- pattern-not-inside: '$MODEL.extra(select = {$KEY: "..."})'