django-extra (S610)

Derived from the flake8-bandit linter.

What it does

Checks for uses of Django's extra function where one or more arguments passed are not literal expressions.

Why is this bad?

Django's extra function can be used to execute arbitrary SQL queries, which can in turn lead to SQL injection vulnerabilities.

Example

from django.contrib.auth.models import User

# String interpolation creates a security loophole that could be used
# for SQL injection:
User.objects.all().extra(select={"test": "%secure" % "nos"})

Use instead:

from django.contrib.auth.models import User

# SQL injection is impossible if all arguments are literal expressions:
User.objects.all().extra(select={"test": "secure"})

References

• Django documentation: SQL injection protection
• Common Weakness Enumeration: CWE-89