> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit

<AccordionGroup>
  <Accordion title="extends-custom-expression">
    Found extension of custom expression: \$CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    <br />**OWASP**: <br />- A01:2017 - Injection
    <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="no-csrf-exempt">
    Detected usage of @csrf\_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-352: Cross-Site Request Forgery (CSRF)
    <br />**OWASP**: <br />- A01:2021 - Broken Access Control
  </Accordion>

  <Accordion title="unvalidated-password">
    The password on '\$MODEL' is being set without validating the password. Call django.contrib.auth.password\_validation.validate\_password() with validation functions before setting the password. See [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/) for more information.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-521: Weak Password Requirements
    <br />**OWASP**: <br />- A07:2021 - Identification and Authentication Failures
  </Accordion>

  <Accordion title="avoid-mark-safe">
    'mark\_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format\_html()' to build HTML for rendering instead.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    <br />**OWASP**: <br />- A07:2017 - Cross-Site Scripting (XSS)
    <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="avoid-query-set-extra">
    QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    <br />**OWASP**: <br />- A01:2017 - Injection
    <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="avoid-raw-sql">
    Detected the use of 'RawSQL' or 'raw' indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name='Bob')`<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    <br />**OWASP**: <br />- A01:2017 - Injection
    <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="custom-expression-as-sql">
    Detected a Custom Expression ''\$EXPRESSION'' calling ''as\_sql(...).'' This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    <br />**OWASP**: <br />- A01:2017 - Injection
    <br />- A03:2021 - Injection
  </Accordion>

  <Accordion title="django-secure-set-cookie">
    Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set\_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.<br />**Likelihood**: LOW<br />**Confidence**: LOW<br />**CWE**: <br />- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
    <br />**OWASP**: <br />- A05:2021 - Security Misconfiguration
  </Accordion>

  <Accordion title="avoid-insecure-deserialization">
    Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-502: Deserialization of Untrusted Data
    <br />**OWASP**: <br />- A08:2017 - Insecure Deserialization
    <br />- A08:2021 - Software and Data Integrity Failures
  </Accordion>
</AccordionGroup>