Enforcing things on the database level | Django | Page 1

dull juniper Apr 7, 2024, 2:23 PM

#

Was wondering how important is it to enforce certain things on the database level.

right now i got a video model

class Video(models.Model):
    videoemb = models.FileField(max_length=500, upload_to=uploadPath, null=False, validators=[FileExtensionValidator(allowed_extensions=["mov","mp4","avi","wmv"])])
    author = models.ForeignKey(CustomUser, on_delete=models.CASCADE)
    description = models.TextField(max_length=500)
    created_at = models.DateTimeField(auto_now_add=True)
    vidID = models.CharField(default=randVidID, editable=False)
    ratingn = models.BigIntegerField(default = 0)
    ratingp = models.BigIntegerField(default = 0)
    title = models.CharField(max_length=100)
    thumbnail = models.ImageField(editable=False, max_length=255, default="image/image.png")
    created = models.IntegerField(editable=False, default=0)

    class Meta:
        ordering=['-created_at']

And im validating the videoemb to only accept those file extensions, but that doesnt enforce it on the database level, which brings me to my question, how important is it that i also do it on the database level? Are there potential security risks if i dont, and if so what are they?

dusk drum Apr 7, 2024, 2:32 PM

#

which programs, besides your django app, do you expect to be writing to your database?

#

if the answer is "none", then don't stress on it

dull juniper Apr 7, 2024, 2:33 PM

#

think its none?

left pebble Apr 7, 2024, 2:33 PM

#

Shooting a random shot here, but internally a filefield is considered a varchar/etc, which you can hopefully use pattern matching constraint on. So:

    class Meta:
        constraints = [
            models.CheckConstraint(
               check=models.Q(videoemb__endswith='.foo'),
               name='video_extension_check')
        ]

for the rest of the extensions, you'd probably build a Q() out of the allowed_extensions list that you define.

allowed_extensions = ["mov","mp4","avi","wmv"]

allowed_extensions_q =  ...# dynamically build Q with |

dull juniper Apr 7, 2024, 2:33 PM

#

atleast for that field

dull juniper Apr 7, 2024, 2:34 PM

#

left pebble Shooting a random shot here, but internally a filefield is considered a varchar/...

yeah, but more so asking if this is a "Should" or a "Could"

dusk drum Apr 7, 2024, 2:35 PM

#

there are probably lots of ways you could enforce your rule here

#

the real question is: are any of them worth it?

left pebble Apr 7, 2024, 2:35 PM

#

enforcing a filename extension doesn't reduce the security related risk ~~of anything~~

dusk drum Apr 7, 2024, 2:36 PM

#

it reduces the risk of storing a filename with the wrong extension! 🤣

left pebble Apr 7, 2024, 2:36 PM

#

fixed ^.^

#Enforcing things on the database level