14Şub
Django QuerySet arguments manipulation
I'm trying to get into bug hunting. I found the following requests on one of bug bounty programs:
httx://example.com/api/news/?filter=%7B%22date_end__gt%22:%222024-02-14T13:52:45.646Z%22,%22check_news%22:true%7D&order_by=-important_news,-date_start
It looks familiar to me since I'm a coder. I recognized django QuerySet which I can manipulate. I found out it's possible to add exclude parameter and it works correctly. Unfortunately adding extra didn't work out.
I suppose the code processing these requests looks like:
for op, val in query.items():
if op == 'filter':
ret = News.objects.filter(**val)
elif op == 'exclude':
. . .
Could you please tell me if it worth to invest my time to? Is there a way to exploit this behavior?
