B611: django_rawsql_usedΒΆ

bandit.plugins.django_sql_injection.django_rawsql_used(context)[source]

B611: Potential SQL injection on RawSQL function

Example:
>> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector.
   Severity: Medium Confidence: Medium
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   Location: examples/django_sql_injection_raw.py:11:26
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html
10        ' WHERE "username"="admin" OR 1=%s --'
11  User.objects.annotate(val=RawSQL(raw, [0]))

New in version 1.5.0.

Changed in version 1.7.3: CWE information added