B610: django_extra_used

bandit.plugins.django_sql_injection.django_extra_used(context)

B610: Potential SQL injection on extra function

Example:

>> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector.
   Severity: Medium Confidence: Medium
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   Location: examples/django_sql_injection_extra.py:29:0
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html
28  tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
29  User.objects.all().extra(tables=[tables_str]).distinct()

See also

• https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection

• https://cwe.mitre.org/data/definitions/89.html

New in version 1.5.0.

Changed in version 1.7.3: CWE information added