Use case: Using user’s input to retrieve a model from database.

Issue: The UUIDField doesn’t properly *clean* the input value, meaning the ORM will query the database even the query values aren’t cleaned.

System: Ubuntu 14.04 LTS + PostgresSQL 9.3

Good: User.objects.get(pk=’ssss’) -> ValueError Bad: Media.objects.get(pk=’ssss’) -> DataError

class Media(models.Model): pk = models.UUIDField() >>> User.objects.get(pk=’ssss’) Traceback (most recent call last): File “<input>”, line 1, in <module> File “venv/src/django/django/db/models/manager.py”, line 127, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) File “venv/src/django/django/db/models/query.py”, line 320, in get clone = self.filter(*args, **kwargs) File “venv/src/django/django/db/models/query.py”, line 671, in filter return self._filter_or_exclude(False, *args, **kwargs) File “venv/src/django/django/db/models/query.py”, line 689, in _filter_or_exclude clone.query.add_q(Q(*args, **kwargs)) File “venv/src/django/django/db/models/sql/query.py”, line 1284, in add_q clause, require_inner = self._add_q(where_part, self.used_aliases) File “venv/src/django/django/db/models/sql/query.py”, line 1311, in _add_q current_negated=current_negated, connector=connector, allow_joins=allow_joins) File “venv/src/django/django/db/models/sql/query.py”, line 1183, in build_filter condition = self.build_lookup(lookups, col, value) File “venv/src/django/django/db/models/sql/query.py”, line 1079, in build_lookup return final_lookup(lhs, rhs) File “venv/src/django/django/db/models/lookups.py”, line 96, in __init__ self.rhs = self.get_prep_lookup() File “venv/src/django/django/db/models/lookups.py”, line 134, in get_prep_lookup return self.lhs.output_field.get_prep_lookup(self.lookup_name, self.rhs) File “venv/src/django/django/db/models/fields/__init__.py”, line 716, in get_prep_lookup return self.get_prep_value(value) File “venv/src/django/django/db/models/fields/__init__.py”, line 974, in get_prep_value return int(value) ValueError: invalid literal for int() with base 10: ‘ssss’ >>> Media.objects.get(pk=’ssss’) Traceback (most recent call last): File “<input>”, line 1, in <module> File “venv/src/django/django/db/models/manager.py”, line 127, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) File “venv/src/django/django/db/models/query.py”, line 326, in get num = len(clone) File “venv/src/django/django/db/models/query.py”, line 145, in __len__ self._fetch_all() File “venv/src/django/django/db/models/query.py”, line 955, in _fetch_all self._result_cache = list(self.iterator()) File “venv/src/django/django/db/models/query.py”, line 239, in iterator results = compiler.execute_sql() File “venv/src/django/django/db/models/sql/compiler.py”, line 826, in execute_sql cursor.execute(sql, params) File “venv/src/django/django/db/backends/utils.py”, line 80, in execute return super(CursorDebugWrapper, self).execute(sql, params) File “venv/src/django/django/db/backends/utils.py”, line 65, in execute return self.cursor.execute(sql, params) File “venv/src/django/django/db/utils.py”, line 95, in __exit__ six.reraise(dj_exc_type, dj_exc_value, traceback) File “venv/src/django/django/utils/six.py”, line 658, in reraise raise value.with_traceback(tb) File “venv/src/django/django/db/backends/utils.py”, line 65, in execute return self.cursor.execute(sql, params) django.db.utils.DataError: invalid input syntax for uuid: “ssss” LINE 1: …oudncode_media” WHERE “cloudncode_media”.”uuid” = ‘ssss’ LIM…