sdk/python/Web Frameworks/PyDjango

PyDjango

Django is a full-featured Python web framework. HttpRequest exposes request data; the ORM Manager.raw() and Cursor.execute() are SQL injection sinks when the SQL is built from user input. Template rendering via mark_safe bypasses auto-escaping (XSS sink).

4 sources2 sinks

Taint flow4 sources → 2 sinks

Sources — untrusted input

.HttpRequest.GET()URL query parameters

.HttpRequest.POST()POST form data

.HttpRequest.COOKIES()Request cookies

.HttpRequest.body()Raw HTTP request body

→

taint

Sinks — dangerous call

.Manager.raw()Executes a raw SQL query against the ORM

.mark_safe()Declares a string as safe, bypassing template auto-escaping

Sources

— user-controlled input enters here

.HttpRequest.GET()Source

Signature

request.GET: QueryDict

URL query parameters. All values user-controlled.

tracks:return

.HttpRequest.POST()Source

Signature

request.POST: QueryDict

POST form data. User-controlled.

tracks:return

.HttpRequest.COOKIES()Source

Signature

request.COOKIES: dict[str, str]

Request cookies. User-controlled.

tracks:return

.HttpRequest.body()Source

Signature

request.body: bytes

Raw HTTP request body. User-controlled.

tracks:return

Sinks

— dangerous functions taint must not reach

.Manager.raw()Sink

Signature

Manager.raw(raw_query: str, params: Sequence = None, ...) -> RawQuerySet

Executes a raw SQL query against the ORM. SQL injection sink when raw_query is built from user input.

tracks:0

.mark_safe()Sink

Signature

django.utils.safestring.mark_safe(s: str) -> SafeString

Declares a string as safe, bypassing template auto-escaping. XSS sink on user input.

tracks:0

Fully-Qualified Names

FQN	Field
django	fqns[0]
django.http.HttpRequest	fqns[1]
django.db.models.Manager	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyDjango

← PreviousPyChannels

Next →PyDjangoFilters