B610: django_extra_used
- bandit.plugins.django_sql_injection.django_extra_used(context)[source]
B610: Potential SQL injection on extra function
- Example:
>> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector. Severity: Medium Confidence: Medium CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) Location: examples/django_sql_injection_extra.py:29:0 More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html 28 tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' 29 User.objects.all().extra(tables=[tables_str]).distinct()
See also
Added in version 1.5.0.
Changed in version 1.7.3: CWE information added