django-ninja-aio-crud 2.17.0__py3-none-any.whl → 2.18.1__py3-none-any.whl

ninja_aio/models/utils.py

@@ -94,6 +94,9 @@ class ModelUtil:
     - Stateless wrapper; safe per-request instantiation.
     """
 
+    # Performance: Class-level cache for relation discovery (model structure is static)
+    _relation_cache: dict[tuple[type, str, str], list[str]] = {}
+
     def __init__(
         self, model: type["ModelSerializer"] | models.Model, serializer_class=None
     ):
@@ -192,6 +195,47 @@ class ModelUtil:
         """
         return [field.name for field in self.model._meta.get_fields()]
 
+    def get_valid_input_fields(
+        self, is_serializer: bool, serializer: "ModelSerializer | None" = None
+    ) -> set[str]:
+        """
+        Get allowlist of valid field names for input validation.
+
+        Security: Prevents field injection by returning only fields that should
+        be accepted from user input.
+
+        Parameters
+        ----------
+        is_serializer : bool
+            Whether using a ModelSerializer
+        serializer : ModelSerializer, optional
+            Serializer instance if applicable
+
+        Returns
+        -------
+        set[str]
+            Set of valid field names that can be accepted in input payloads
+        """
+        valid_fields = set(self.model_fields)
+
+        # If using a serializer, also include custom fields
+        if is_serializer and serializer:
+            # Get all custom fields defined in the serializer
+            try:
+                # Custom fields are those that are not model fields but are defined
+                # in the serializer configuration
+                for schema_type in ['create', 'update', 'read', 'detail']:
+                    try:
+                        schema_fields = serializer.get_fields(schema_type)
+                        if schema_fields:
+                            valid_fields.update(schema_fields)
+                    except (AttributeError, TypeError):
+                        continue
+            except (AttributeError, TypeError):
+                pass
+
+        return valid_fields
+
     @property
     def model_name(self) -> str:
         """
@@ -518,6 +562,9 @@ class ModelUtil:
         """
         Discover reverse relation names for safe prefetching.
 
+        Performance: Results are cached per (model, serializer_class, is_for) tuple
+        since model structure is static.
+
         Parameters
         ----------
         is_for : Literal["read", "detail"]
@@ -528,9 +575,17 @@ class ModelUtil:
         list[str]
             Relation attribute names.
         """
+        # Check cache first (performance optimization)
+        cache_key = (self.model, str(self.serializer_class), is_for)
+        if cache_key in self._relation_cache:
+            return self._relation_cache[cache_key].copy()
+
         reverse_rels = self._get_read_optimizations(is_for).prefetch_related.copy()
         if reverse_rels:
+            # Cache and return
+            self._relation_cache[cache_key] = reverse_rels
             return reverse_rels
+
         serializable_fields = self._get_serializable_field_names(is_for)
         for f in serializable_fields:
             field_obj = getattr(self.model, f)
@@ -542,6 +597,9 @@ class ModelUtil:
                 continue
             if isinstance(field_obj, ReverseOneToOneDescriptor):
                 reverse_rels.append(field_obj.related.name)
+
+        # Cache the result
+        self._relation_cache[cache_key] = reverse_rels
         return reverse_rels
 
     def get_select_relateds(
@@ -550,6 +608,9 @@ class ModelUtil:
         """
         Discover forward relation names for safe select_related.
 
+        Performance: Results are cached per (model, serializer_class, is_for) tuple
+        since model structure is static.
+
         Parameters
         ----------
         is_for : Literal["read", "detail"]
@@ -560,9 +621,17 @@ class ModelUtil:
         list[str]
             Relation attribute names.
         """
+        # Check cache first (performance optimization)
+        cache_key = (self.model, str(self.serializer_class) + "_select", is_for)
+        if cache_key in self._relation_cache:
+            return self._relation_cache[cache_key].copy()
+
         select_rels = self._get_read_optimizations(is_for).select_related.copy()
         if select_rels:
+            # Cache and return
+            self._relation_cache[cache_key] = select_rels
             return select_rels
+
         serializable_fields = self._get_serializable_field_names(is_for)
         for f in serializable_fields:
             field_obj = getattr(self.model, f)
@@ -571,12 +640,17 @@ class ModelUtil:
                 continue
             if isinstance(field_obj, ForwardManyToOneDescriptor):
                 select_rels.append(f)
+
+        # Cache the result
+        self._relation_cache[cache_key] = select_rels
         return select_rels
 
-    async def _get_field(self, k: str):
+    async def _get_field(self, k: str) -> models.Field:
+        """Get Django field object for a given field name."""
         return (await agetattr(self.model, k)).field
 
-    def _decode_binary(self, payload: dict, k: str, v: Any, field_obj: models.Field):
+    def _decode_binary(self, payload: dict, k: str, v: Any, field_obj: models.Field) -> None:
+        """Decode base64-encoded binary field values in place."""
         if not isinstance(field_obj, models.BinaryField):
             return
         try:
@@ -591,7 +665,8 @@ class ModelUtil:
         k: str,
         v: Any,
         field_obj: models.Field,
-    ):
+    ) -> None:
+        """Resolve foreign key ID to model instance in place."""
         if not isinstance(field_obj, models.ForeignKey):
             return
         rel_util = ModelUtil(field_obj.related_model)
@@ -600,10 +675,11 @@ class ModelUtil:
 
     async def _bump_object_from_schema(
         self, obj: type["ModelSerializer"] | models.Model, schema: Schema
-    ):
+    ) -> dict:
+        """Convert model instance to dict using Pydantic schema."""
         return (await sync_to_async(schema.from_orm)(obj)).model_dump()
 
-    def _validate_read_params(self, request: HttpRequest, query_data: QuerySchema):
+    def _validate_read_params(self, request: HttpRequest, query_data: QuerySchema) -> None:
         """Validate required parameters for read operations."""
         if request is None:
             raise SerializeError(
@@ -667,12 +743,152 @@ class ModelUtil:
         obj = await self.get_object(request, query_data=query_data, is_for=is_for)
         return await self._bump_object_from_schema(obj, obj_schema)
 
+    def _validate_input_fields(
+        self, payload: dict, is_serializer: bool, serializer
+    ) -> None:
+        """
+        Validate non-custom payload keys against model fields.
+
+        Parameters
+        ----------
+        payload : dict
+            Input payload to validate.
+        is_serializer : bool
+            Whether using a ModelSerializer.
+        serializer : ModelSerializer | Serializer
+            Serializer instance if applicable.
+
+        Raises
+        ------
+        SerializeError
+            If invalid field names are found in payload.
+        """
+        invalid_fields = []
+        for key in payload.keys():
+            # Skip custom fields - they're validated by Pydantic schema
+            if is_serializer and serializer.is_custom(key):
+                continue
+            # Validate non-custom fields exist on the model
+            if key not in self.model_fields:
+                invalid_fields.append(key)
+
+        if invalid_fields:
+            raise SerializeError(
+                {
+                    "detail": f"Invalid field names in payload: {', '.join(sorted(invalid_fields))}",
+                    "invalid_fields": sorted(invalid_fields),
+                },
+                400,
+            )
+
+    def _collect_custom_and_optional_fields(
+        self, payload: dict, is_serializer: bool, serializer
+    ) -> tuple[dict[str, Any], list[str]]:
+        """
+        Collect custom and optional fields from payload.
+
+        Parameters
+        ----------
+        payload : dict
+            Input payload.
+        is_serializer : bool
+            Whether using a ModelSerializer.
+        serializer : ModelSerializer | Serializer
+            Serializer instance if applicable.
+
+        Returns
+        -------
+        tuple[dict[str, Any], list[str]]
+            (custom_fields_dict, optional_field_names)
+        """
+        customs: dict[str, Any] = {}
+        optionals: list[str] = []
+
+        if not is_serializer:
+            return customs, optionals
+
+        customs = {
+            k: v
+            for k, v in payload.items()
+            if serializer.is_custom(k) and k not in self.model_fields
+        }
+        optionals = [
+            k for k, v in payload.items() if serializer.is_optional(k) and v is None
+        ]
+
+        return customs, optionals
+
+    def _determine_skip_keys(
+        self, payload: dict, is_serializer: bool, serializer
+    ) -> set[str]:
+        """
+        Determine which keys to skip during model field processing.
+
+        Parameters
+        ----------
+        payload : dict
+            Input payload.
+        is_serializer : bool
+            Whether using a ModelSerializer.
+        serializer : ModelSerializer | Serializer
+            Serializer instance if applicable.
+
+        Returns
+        -------
+        set[str]
+            Set of keys to skip.
+        """
+        if not is_serializer:
+            return set()
+
+        skip_keys = {
+            k
+            for k, v in payload.items()
+            if (serializer.is_custom(k) and k not in self.model_fields)
+            or (serializer.is_optional(k) and v is None)
+        }
+        return skip_keys
+
+    async def _process_payload_fields(
+        self, request: HttpRequest, payload: dict, fields_to_process: list[tuple[str, Any]]
+    ) -> None:
+        """
+        Process payload fields: decode binary and resolve foreign keys.
+
+        Parameters
+        ----------
+        request : HttpRequest
+            HTTP request object.
+        payload : dict
+            Payload dict to modify in place.
+        fields_to_process : list[tuple[str, Any]]
+            List of (field_name, field_value) tuples to process.
+        """
+        if not fields_to_process:
+            return
+
+        # Fetch all field objects in parallel
+        field_tasks = [self._get_field(k) for k, _ in fields_to_process]
+        field_objs = await asyncio.gather(*field_tasks)
+
+        # Decode binary fields (synchronous, must be sequential)
+        for (k, v), field_obj in zip(fields_to_process, field_objs):
+            self._decode_binary(payload, k, v, field_obj)
+
+        # Resolve all FK fields in parallel
+        fk_tasks = [
+            self._resolve_fk(request, payload, k, v, field_obj)
+            for (k, v), field_obj in zip(fields_to_process, field_objs)
+        ]
+        await asyncio.gather(*fk_tasks)
+
     async def parse_input_data(self, request: HttpRequest, data: Schema):
         """
         Transform inbound schema data to a model-ready payload.
 
         Steps
         -----
+        - Validate fields against allowlist (security).
         - Strip custom fields (retain separately).
         - Drop optional fields with None (ModelSerializer only).
         - Decode BinaryField base64 values.
@@ -692,7 +908,7 @@ class ModelUtil:
         Raises
         ------
         SerializeError
-            On base64 decoding failure.
+            On base64 decoding failure or invalid field names.
         """
         payload = data.model_dump(mode="json")
 
@@ -701,36 +917,20 @@ class ModelUtil:
         )
         serializer = self.serializer if self.with_serializer else self.model
 
-        # Collect custom and optional fields (only if ModelSerializerMeta)
-        customs: dict[str, Any] = {}
-        optionals: list[str] = []
-        if is_serializer:
-            customs = {
-                k: v
-                for k, v in payload.items()
-                if serializer.is_custom(k) and k not in self.model_fields
-            }
-            optionals = [
-                k for k, v in payload.items() if serializer.is_optional(k) and v is None
-            ]
+        # Security: Validate non-custom payload keys against model fields
+        self._validate_input_fields(payload, is_serializer, serializer)
 
-        skip_keys = set()
-        if is_serializer:
-            # Keys to skip during model field processing
-            skip_keys = {
-                k
-                for k, v in payload.items()
-                if (serializer.is_custom(k) and k not in self.model_fields)
-                or (serializer.is_optional(k) and v is None)
-            }
-
-        # Process payload fields
-        for k, v in payload.items():
-            if k in skip_keys:
-                continue
-            field_obj = await self._get_field(k)
-            self._decode_binary(payload, k, v, field_obj)
-            await self._resolve_fk(request, payload, k, v, field_obj)
+        # Collect custom and optional fields
+        customs, optionals = self._collect_custom_and_optional_fields(
+            payload, is_serializer, serializer
+        )
+
+        # Determine which keys to skip during model field processing
+        skip_keys = self._determine_skip_keys(payload, is_serializer, serializer)
+
+        # Process payload fields - gather field objects in parallel for better performance
+        fields_to_process = [(k, v) for k, v in payload.items() if k not in skip_keys]
+        await self._process_payload_fields(request, payload, fields_to_process)
 
         # Preserve original exclusion semantics (customs if present else optionals)
         exclude_keys = customs.keys() or optionals

ninja_aio/types.py

@@ -10,6 +10,44 @@ SCHEMA_TYPES = Literal["In", "Out", "Detail", "Patch", "Related"]
 VIEW_TYPES = Literal["list", "retrieve", "create", "update", "delete", "all"]
 JwtKeys: TypeAlias = jwk.RSAKey | jwk.ECKey | jwk.OctKey
 
+# Django ORM field lookup suffixes for QuerySet filtering
+# See: https://docs.djangoproject.com/en/stable/ref/models/querysets/#field-lookups
+DjangoLookup = Literal[
+    "exact",
+    "iexact",
+    "contains",
+    "icontains",
+    "in",
+    "gt",
+    "gte",
+    "lt",
+    "lte",
+    "startswith",
+    "istartswith",
+    "endswith",
+    "iendswith",
+    "range",
+    "date",
+    "year",
+    "iso_year",
+    "month",
+    "day",
+    "week",
+    "week_day",
+    "iso_week_day",
+    "quarter",
+    "time",
+    "hour",
+    "minute",
+    "second",
+    "isnull",
+    "regex",
+    "iregex",
+]
+
+# Set of valid Django lookup suffixes for runtime validation
+VALID_DJANGO_LOOKUPS: set[str] = set(DjangoLookup.__args__)
+
 
 class SerializerMeta(type):
     """Metaclass for serializers - extend with custom behavior as needed."""

ninja_aio/views/api.py

@@ -6,6 +6,7 @@ from ninja.pagination import paginate, AsyncPaginationBase, PageNumberPagination
 from django.http import HttpRequest
 from django.db.models import Model, QuerySet
 from django.conf import settings
+from django.core.exceptions import FieldDoesNotExist
 from pydantic import create_model
 
 from ninja_aio.schemas.helpers import ModelQuerySetSchema, QuerySchema, DecoratorsSchema
@@ -16,7 +17,7 @@ from ninja_aio.schemas import (
     M2MRelationSchema,
 )
 from ninja_aio.helpers.api import ManyToManyAPI
-from ninja_aio.types import ModelSerializerMeta, VIEW_TYPES
+from ninja_aio.types import ModelSerializerMeta, VIEW_TYPES, VALID_DJANGO_LOOKUPS
 from ninja_aio.decorators import unique_view, decorate_view, aatomic
 from ninja_aio.models import serializers
 
@@ -31,7 +32,7 @@ class API:
     auth: list | None = NOT_SET
     router: Router = None
 
-    def views(self):
+    def views(self) -> None:
         """
         Override this method to add your custom views. For example:
         @self.router.get(some_path, response=some_schema)
@@ -65,13 +66,15 @@ class API:
         """
         pass
 
-    def _add_views(self):
+    def _add_views(self) -> Router:
+        """Register views decorated with @api_register."""
         for name in dir(self.__class__):
             method = getattr(self.__class__, name)
             if hasattr(method, "_api_register"):
                 method._api_register(self)
+        return self.router
 
-    def add_views_to_route(self):
+    def add_views_to_route(self) -> Router:
         return self.api.add_router(f"{self.api_route_path}", self._add_views())
 
 
@@ -322,6 +325,98 @@ class APIViewSet(API):
             filter
         )
 
+    def _is_lookup_suffix(self, part: str) -> bool:
+        """
+        Check if a part is a valid Django lookup suffix.
+
+        Args:
+            part: The part to check
+
+        Returns:
+            bool: True if the part is a valid lookup suffix
+        """
+        return part in VALID_DJANGO_LOOKUPS
+
+    def _get_related_model(self, field):
+        """
+        Extract the related model from a field if it exists.
+
+        Args:
+            field: The Django field object
+
+        Returns:
+            Model class or None
+        """
+        if hasattr(field, 'related_model') and field.related_model:
+            return field.related_model
+        if hasattr(field, 'remote_field') and field.remote_field and hasattr(field.remote_field, 'model'):
+            return field.remote_field.model
+        return None
+
+    def _validate_non_relation_field(self, parts: list[str], i: int) -> bool:
+        """
+        Validate a non-relation field that appears before the end of the path.
+
+        Args:
+            parts: List of field path parts
+            i: Current index in parts
+
+        Returns:
+            bool: True if valid, False otherwise
+        """
+        if i >= len(parts) - 1:
+            return True
+        next_part = parts[i + 1]
+        return self._is_lookup_suffix(next_part)
+
+    def _validate_filter_field(self, field_path: str) -> bool:
+        """
+        Validate that a filter field path corresponds to valid model fields.
+
+        Security: Prevents field injection attacks by ensuring only valid model
+        fields can be used in filters.
+
+        Args:
+            field_path: The field path to validate (e.g., "name", "author__name")
+
+        Returns:
+            bool: True if the field path is valid, False otherwise
+
+        Examples:
+            "name" -> validates against direct model field
+            "author__name" -> validates author is a relation, then name on related model
+            "created_at__gte" -> validates created_at field, lookup suffix is allowed
+        """
+        if not field_path:
+            return False
+
+        parts = field_path.split('__')
+        current_model = self.model
+
+        # Iterate through the path, validating each part
+        for i, part in enumerate(parts):
+            # Check if this is the last part and might be a lookup suffix
+            is_last_part = i == len(parts) - 1
+            if is_last_part and self._is_lookup_suffix(part):
+                return True
+
+            try:
+                field = current_model._meta.get_field(part)
+            except (FieldDoesNotExist, AttributeError):
+                # Field doesn't exist on this model
+                return False
+
+            # If this is a relation field and not the last part, traverse to related model
+            related_model = self._get_related_model(field)
+            if related_model and not is_last_part:
+                current_model = related_model
+            elif not is_last_part:
+                # Non-relation field in the middle - must be followed by a lookup suffix
+                if not self._validate_non_relation_field(parts, i):
+                    return False
+
+        return True
+
     def _auth_view(self, view_type: str):
         """
         Resolve auth for a specific HTTP verb; falls back to self.auth if NOT_SET.
@@ -329,16 +424,20 @@ class APIViewSet(API):
         auth = getattr(self, f"{view_type}_auth", None)
         return auth if auth is not NOT_SET else self.auth
 
-    def get_view_auth(self):
+    def get_view_auth(self) -> list | None:
+        """Get authentication configuration for GET endpoints."""
         return self._auth_view("get")
 
-    def post_view_auth(self):
+    def post_view_auth(self) -> list | None:
+        """Get authentication configuration for POST endpoints."""
         return self._auth_view("post")
 
-    def patch_view_auth(self):
+    def patch_view_auth(self) -> list | None:
+        """Get authentication configuration for PATCH endpoints."""
         return self._auth_view("patch")
 
-    def delete_view_auth(self):
+    def delete_view_auth(self) -> list | None:
+        """Get authentication configuration for DELETE endpoints."""
         return self._auth_view("delete")
 
     def _generate_schema(self, fields: dict, name: str) -> Schema:
@@ -347,7 +446,7 @@ class APIViewSet(API):
         """
         return create_model(f"{self.model_util.model_name}{name}", **fields)
 
-    def _generate_path_schema(self):
+    def _generate_path_schema(self) -> Schema:
         """
         Schema containing only the primary key field for path resolution.
         """

ninja_aio/views/mixins.py

@@ -56,7 +56,9 @@ class IcontainsFilterViewSetMixin(APIViewSet):
             **{
                 f"{key}__icontains": value
                 for key, value in filters.items()
-                if isinstance(value, str) and not self._is_special_filter(key)
+                if isinstance(value, str)
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -98,7 +100,9 @@ class BooleanFilterViewSetMixin(APIViewSet):
             **{
                 key: value
                 for key, value in filters.items()
-                if isinstance(value, bool) and not self._is_special_filter(key)
+                if isinstance(value, bool)
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -140,7 +144,9 @@ class NumericFilterViewSetMixin(APIViewSet):
             **{
                 key: value
                 for key, value in filters.items()
-                if isinstance(value, (int, float)) and not self._is_special_filter(key)
+                if isinstance(value, (int, float))
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -182,7 +188,9 @@ class DateFilterViewSetMixin(APIViewSet):
             **{
                 f"{key}{self._compare_attr}": value
                 for key, value in filters.items()
-                if hasattr(value, "isoformat") and not self._is_special_filter(key)
+                if hasattr(value, "isoformat")
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -341,7 +349,8 @@ class RelationFilterViewSetMixin(APIViewSet):
         rel_filters = {}
         for rel_filter in self.relations_filters:
             value = filters.get(rel_filter.query_param)
-            if value is not None:
+            # Validate the configured query_filter path for security
+            if value is not None and self._validate_filter_field(rel_filter.query_filter):
                 rel_filters[rel_filter.query_filter] = value
         return base_qs.filter(**rel_filters) if rel_filters else base_qs
 
@@ -406,8 +415,15 @@ class MatchCaseFilterViewSetMixin(APIViewSet):
                     filter_match.cases.true if value else filter_match.cases.false
                 )
                 lookup = case_filter.query_filter
-                if case_filter.include:
-                    base_qs = base_qs.filter(**lookup)
-                else:
-                    base_qs = base_qs.exclude(**lookup)
+                # Validate all filter fields in the lookup dictionary for security
+                validated_lookup = {
+                    k: v
+                    for k, v in lookup.items()
+                    if self._validate_filter_field(k)
+                }
+                if validated_lookup:
+                    if case_filter.include:
+                        base_qs = base_qs.filter(**validated_lookup)
+                    else:
+                        base_qs = base_qs.exclude(**validated_lookup)
         return base_qs