| | 78 | === SQL Injection via extra, raw or RawSQL === |
| | 79 | |
| | 80 | Hello! |
| | 81 | |
| | 82 | Thank you for taking the time to submit your discoveries responsibly. |
| | 83 | |
| | 84 | After reviewing your report, we have concluded that it does not constitute a security issue. The behavior presented relies on the use of `QuerySet.extra`, `QuerySet.raw`, or `RawSQL` expressions, which are explicitly designed to execute arbitrary SQL. These APIs are documented to require that user-controllable input be passed via `params` as shown below: |
| | 85 | |
| | 86 | * https://docs.djangoproject.com/en/stable/ref/models/querysets/#django.db.models.query.QuerySet.extra |
| | 87 | * https://docs.djangoproject.com/en/stable/ref/models/querysets/#raw |
| | 88 | * https://docs.djangoproject.com/en/stable/ref/models/expressions/#raw-sql-expressions |
| | 89 | |
| | 90 | Recently addressed issues such as CVE-2025-59681 differ from your report since that class of issue concerns identifier escaping, whereas your report concerns value escaping. For raw SQL query APIs, responsibility for distinguishing between code (SQL) and data (user input) rests with the developer. |
| | 91 | |
| | 92 | For further clarification, please see our documentation on performing raw SQL queries: https://docs.djangoproject.com/en/stable/topics/db/sql/#performing-raw-sql-queries |
| | 93 | |
| | 94 | Best, |
| | 95 | Django Security Team. |
| | 96 | |