id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36778	Extend admonition to avoid constructing query expressions from unsanitized user input	Jacob Walls	Jacob Walls	"The Security Team occasionally receives reports where a proof of concept pipes unsanitized user input directly to a query expression argument traditionally regarded as statically configured and thus developer-controlled.

We haven't accepted these as vulnerabilities, because each case we've confronted has a clear domain to validate (e.g. positive integers) that a garden-variety form or serializer would handle, as opposed to anything that would require the db adapter to escape.

We have this [https://docs.djangoproject.com/en/6.0/ref/models/expressions/#avoiding-sql-injection clearly documented in the Func API] where positional arguments can be user-driven but keyword arguments get interpolated directly into SQL (beware!), but this is potentially muddled by the inconsistency where some subclasses allow positional arguments for convenience but then pass that on to `Func()` via keyword (beware!)

Working on a way to clarify this in the Func docs and cross-link from the security reporting guidelines."	Cleanup/optimization	closed	Documentation	dev	Normal	fixed	Func, sql, injection, extra, rawsql	Simon Charette Michael Manfre	Ready for checkin	1	0	0	0	0	0