[Django]-How do you avoid SQL Injection attacks in your Django Rest APIs if using native ORM?

2👍

The main danger of using a Django ORM is that you might give users a powerful tool to select, filter and aggregate over arbitrary fields.

Indeed, say for example that you make a form that enables users to select the fields to return, then you can implement this as:

data = MyModel.objects.values(*request.GET.getlist('fields'))

If MyModel has a ForeignKey to the user model named owner, then the user could forge a request with owner__password as field, and thus retrieve the (hashed) passwords. While Django stores for its default User model a hashed password, it still means that the hashed data is exposed and it might make it easier to thus retrieve passwords.

But even if there is no user model, it can result in the fact that users can forge requests where they use links to sensitive data, and thus can retrieve a large amount of sensitive data. The same can happen with arbitrary filtering, annotating, aggregating, etc.

What you thus should do is keep a list of acceptable values, and check that the request only contains these values, for example:

acceptable = {'title', 'description', 'created_at'}
data = [field for field in request.GET.getlist('fields') if field in acceptable]
data = MyModel.objects.values(*data)

If you for example make use of packages like django-filter [readthedocs.io] you list the fields that can be filtered and what lookups can be done for these fields. The other data in the request.GET will be ignored, and thus will prevent filtering with arbitrary fields.

Leave a comment