django-extra (S610)

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does

Checks for uses of Django's extra function.

Why is this bad?

Django's extra function can be used to execute arbitrary SQL queries, which can in turn lead to SQL injection vulnerabilities.

Example

from django.contrib.auth.models import User

User.objects.all().extra(select={"test": "%secure" % "nos"})

References

• Django documentation: SQL injection protection
• Common Weakness Enumeration: CWE-89