Skip to content

django-extra (S610)#

Derived from the flake8-bandit linter.

What it does#

Checks for uses of Django's extra function where one or more arguments passed are not literal expressions.

Why is this bad?#

Django's extra function can be used to execute arbitrary SQL queries, which can in turn lead to SQL injection vulnerabilities.


from django.contrib.auth.models import User

# String interpolation creates a security loophole that could be used
# for SQL injection:
User.objects.all().extra(select={"test": "%secure" % "nos"})

Use instead:#

from django.contrib.auth.models import User

# SQL injection is impossible if all arguments are literal expressions:
User.objects.all().extra(select={"test": "secure"})