Skip to content

django-extra (S610)#

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does#

Checks for uses of Django's extra function.

Why is this bad?#

Django's extra function can be used to execute arbitrary SQL queries, which can in turn lead to SQL injection vulnerabilities.


from django.contrib.auth.models import User

User.objects.all().extra(select={"test": "%secure" % "nos"})