sdk/python/Web Frameworks/PyRestFramework

PyRestFramework

Django REST Framework (DRF). request.data is the primary source for JSON / form payloads; serializers validate input (sanitizer when is_valid is called with raise_exception=True). Response() with tainted data is generally safe due to DRF's renderers but render_template is still worth watching.

2 sources1 sanitizer

Taint flow2 sources → 1 sanitizer → 0 sinks

Sources — untrusted input

.Request.data()Parsed body (JSON, form, multipart)

.Request.query_params()URL query parameters

Sanitizers — blocks taint

.Serializer.is_valid()

Sources

— user-controlled input enters here

.Request.data()Source

Signature

request.data: dict | list

Parsed body (JSON, form, multipart). User-controlled.

tracks:return

.Request.query_params()Source

Signature

request.query_params: QueryDict

URL query parameters.

tracks:return

Sanitizers

— functions that neutralize taint

.Serializer.is_valid()Sanitizer

Signature

Serializer.is_valid(raise_exception=False) -> bool

Validates input. Sanitizer when raise_exception=True.

tracks:return

Other Methods

.Response()Neutral

Signature

Response(data=None, status=None, template_name=None, headers=None, ...) -> Response

DRF response. Data is rendered safely; template_name can be an SSTI sink.

Fully-Qualified Names

FQN	Field
rest_framework	fqns[0]
rest_framework.request	fqns[1]
rest_framework.response	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyRestFramework

← PreviousPyPydantic

Next →PySimpleWebsocket