Opened 103 minutes ago
Closed 63 minutes ago
#36996 closed Cleanup/optimization (invalid)
Apps registry public API methods lack input validation
| Reported by: | Nicholas Salzman | Owned by: | |
|---|---|---|---|
| Component: | Core (Other) | Version: | 6.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The Apps class in django.apps.registry accepts arbitrary argument types on its public API methods. Passing a non-string or empty string produces confusing errors deep in the call stack rather than clear messages at the API boundary.
For example, apps.get_app_config(42) raises KeyError: 42 from the dict lookup inside the method. With validation, it would raise TypeError: app_label must be a string, not int. at the entry point.
Affected methods: get_app_config(), get_model(), register_model(), is_installed(), lazy_model_operation().
I can submit a PR that already passed your tests, other than not having created a ticket first! :)
Nicholas
Note:
See TracTickets
for help on using tickets.
The Django public API has hundreds of methods that can crash if you provide it the inadequate type, we can't gate them all with
isinstancecheck.Unless you can provide a real world example where this is an issue (e.g. a documented use case that isn't explicit about a proper app label needing to be provided) I don't see the value of peppering this particular API with instance type checks as there are projects that provide typing stubs for Django already and they have pretty good coverage for this API.