Download prof files

debug_toolbar/panels/profiling.py

@@ -1,15 +1,20 @@
 import cProfile
+import logging
 import os
+import uuid
 from colorsys import hsv_to_rgb
 from pstats import Stats
 
 from django.conf import settings
+from django.core import signing
 from django.utils.html import format_html
 from django.utils.translation import gettext_lazy as _
 
 from debug_toolbar import settings as dt_settings
 from debug_toolbar.panels import Panel
 
+logger = logging.getLogger(__name__)
+
 
 class FunctionCall:
     def __init__(
@@ -183,8 +188,25 @@ def generate_stats(self, request, response):
         self.stats = Stats(self.profiler)
         self.stats.calc_callees()
 
-        root_func = cProfile.label(super().process_request.__code__)
-
+        if (
+            profile_root := dt_settings.get_config()["PROFILER_PROFILE_ROOT"]
+        ) and os.path.exists(profile_root):
+            filename = f"{uuid.uuid4().hex}.prof"
+            prof_file_path = os.path.join(profile_root, filename)
+            try:
+                self.profiler.dump_stats(prof_file_path)
+                self.prof_file_path = signing.dumps(filename)
+            except OSError:
+                logger.error(
+                    "Failed to dump profiling stats to %s",
+                    prof_file_path,
+                    exc_info=True,
+                )
+                # If writing to the file fails, we don't want to break the
+                # whole page.
+
+        code = super().process_request.__code__
+        root_func = (code.co_filename, code.co_firstlineno, code.co_name)
         if root_func in self.stats.stats:
             root = FunctionCall(self.stats, root_func, depth=0)
             func_list = []
@@ -197,4 +219,9 @@ def generate_stats(self, request, response):
                 dt_settings.get_config()["PROFILER_MAX_DEPTH"],
                 cum_time_threshold,
             )
-            self.record_stats({"func_list": [func.serialize() for func in func_list]})
+            self.record_stats(
+                {
+                    "func_list": [func.serialize() for func in func_list],
+                    "prof_file_path": getattr(self, "prof_file_path", None),
+                }
+            )

debug_toolbar/panels/sql/tracking.py

@@ -146,7 +146,20 @@ def _last_executed_query(self, sql, params):
         # process during the .last_executed_query() call.
         self.db._djdt_logger = None
         try:
-            return self.db.ops.last_executed_query(self.cursor, sql, params)
+            # Handle executemany: take the first set of parameters for formatting
+            if (
+                isinstance(params, (list, tuple))
+                and len(params) > 0
+                and isinstance(params[0], (list, tuple))
+            ):
+                sample_params = params[0]
+            else:
+                sample_params = params
+
+            try:
+                return self.db.ops.last_executed_query(self.cursor, sql, sample_params)
+            except Exception:
+                return sql
         finally:
             self.db._djdt_logger = self.logger
 

debug_toolbar/settings.py

@@ -52,6 +52,7 @@ def _is_running_tests():
     "PRETTIFY_SQL": True,
     "PROFILER_CAPTURE_PROJECT_CODE": True,
     "PROFILER_MAX_DEPTH": 10,
+    "PROFILER_PROFILE_ROOT": None,
     "PROFILER_THRESHOLD_RATIO": 8,
     "SHOW_TEMPLATE_CONTEXT": True,
     "SKIP_TEMPLATE_PREFIXES": ("django/forms/widgets/", "admin/widgets/"),

debug_toolbar/static/debug_toolbar/css/toolbar.css

@@ -1223,3 +1223,7 @@ To regenerate:
 #djDebug .djdt-community-panel a:hover {
     text-decoration: underline;
 }
+
+#djDebug .djdt-profiling-control {
+    margin-bottom: 10px;
+}

debug_toolbar/templates/debug_toolbar/panels/profiling.html

@@ -1,4 +1,13 @@
 {% load i18n %}
+
+{% if prof_file_path %}
+<div class="djdt-profiling-control">
+  <a href="{% url 'djdt:debug_toolbar_download_prof_file' %}?path={{ prof_file_path|urlencode }}" class="djDebugButton">
+    Download .prof file
+  </a>
+</div>
+{% endif %}
+
 <table>
   <thead>
     <tr>
@@ -13,22 +22,22 @@
   <tbody>
     {% for call in func_list %}
       <tr class="djdt-profile-row {% if call.is_project_func %}djdt-highlighted {% endif %} {% for parent_id in call.parent_ids %} djToggleDetails_{{ parent_id }}{% endfor %}" id="profilingMain_{{ call.id }}">
-        <td>
-          <div data-djdt-styles="paddingLeft:{{ call.indent }}px">
-            {% if call.has_subfuncs %}
+      <td>
+        <div data-djdt-styles="paddingLeft:{{ call.indent }}px">
+          {% if call.has_subfuncs %}
               <button type="button" class="djProfileToggleDetails djToggleSwitch" data-toggle-name="profilingMain" data-toggle-id="{{ call.id }}">-</button>
-            {% else %}
-              <span class="djNoToggleSwitch"></span>
-            {% endif %}
-            <span class="djdt-stack">{{ call.func_std_string|safe }}</span>
-          </div>
-        </td>
-        <td>{{ call.cumtime|floatformat:3 }}</td>
-        <td>{{ call.cumtime_per_call|floatformat:3 }}</td>
-        <td>{{ call.tottime|floatformat:3 }}</td>
-        <td>{{ call.tottime_per_call|floatformat:3 }}</td>
-        <td>{{ call.count }}</td>
-      </tr>
+          {% else %}
+          <span class="djNoToggleSwitch"></span>
+          {% endif %}
+          <span class="djdt-stack">{{ call.func_std_string|safe }}</span>
+        </div>
+      </td>
+      <td>{{ call.cumtime|floatformat:3 }}</td>
+      <td>{{ call.cumtime_per_call|floatformat:3 }}</td>
+      <td>{{ call.tottime|floatformat:3 }}</td>
+      <td>{{ call.tottime_per_call|floatformat:3 }}</td>
+      <td>{{ call.count }}</td>
+    </tr>
     {% endfor %}
   </tbody>
 </table>

debug_toolbar/toolbar.py

@@ -163,6 +163,11 @@ def get_urls(cls) -> list[URLPattern | URLResolver]:
             # Global URLs
             urlpatterns = [
                 path("render_panel/", views.render_panel, name="render_panel"),
+                path(
+                    "download_prof_file/",
+                    views.download_prof_file,
+                    name="debug_toolbar_download_prof_file",
+                ),
             ]
             # Per-panel URLs
             for panel_class in cls.get_panel_classes():

debug_toolbar/urls.py

@@ -2,4 +2,5 @@
 from debug_toolbar.toolbar import DebugToolbar
 
 app_name = APP_NAME
+
 urlpatterns = DebugToolbar.get_urls()

debug_toolbar/views.py

@@ -1,7 +1,12 @@
-from django.http import HttpRequest, JsonResponse
+import pathlib
+
+from django.core import signing
+from django.http import FileResponse, Http404, HttpRequest, JsonResponse
 from django.utils.html import escape
 from django.utils.translation import gettext as _
+from django.views.decorators.http import require_GET
 
+from debug_toolbar import settings as dt_settings
 from debug_toolbar._compat import login_not_required
 from debug_toolbar.decorators import render_with_toolbar_language, require_show_toolbar
 from debug_toolbar.panels import Panel
@@ -28,3 +33,30 @@ def render_panel(request: HttpRequest) -> JsonResponse:
         content = panel.content
         scripts = panel.scripts
     return JsonResponse({"content": content, "scripts": scripts})
+
+
+@require_GET
+@login_not_required
+def download_prof_file(request):
+    if not (root := dt_settings.get_config()["PROFILER_PROFILE_ROOT"]):
+        raise Http404()
+
+    if not (file_path := request.GET.get("path")):
+        raise Http404()
+
+    try:
+        filename = signing.loads(file_path)
+    except signing.BadSignature:
+        raise Http404() from None
+
+    root_path = pathlib.Path(root).resolve()
+    resolved_path = (root_path / filename).resolve()
+    if not resolved_path.is_relative_to(root_path) or not resolved_path.exists():
+        raise Http404()
+
+    return FileResponse(
+        open(resolved_path, "rb"),
+        as_attachment=True,
+        filename=resolved_path.name,
+        content_type="application/octet-stream",
+    )

docs/changes.rst

@@ -3,6 +3,10 @@ Change log
 
 Pending
 -------
+* Added the ability to download the profiling data as a file. This feature is
+  disabled by default and requires the ``PROFILER_PROFILE_ROOT`` setting to be
+  configured.
+
 
 6.2.0 (2026-01-20)
 ------------------

docs/configuration.rst

@@ -351,6 +351,17 @@ Panel options
   This setting affects the depth of function calls in the profiler's
   analysis.
 
+* ``PROFILER_PROFILE_ROOT``
+
+  Default: ``None``
+
+  Panel: profiling
+
+  This setting controls the directory where profile files are saved. If set
+  to ``None`` (the default), the profile file is not saved and the download
+  link is not shown. This directory must exist and be writable by the
+  web server process.
+
 * ``PROFILER_THRESHOLD_RATIO``
 
   Default: ``8``

tests/panels/test_profiling.py

@@ -1,10 +1,17 @@
+import os
+import shutil
 import sys
+import tempfile
 import unittest
+from unittest import mock
 
 from django.contrib.auth.models import User
+from django.core import signing
 from django.db import IntegrityError, transaction
 from django.http import HttpResponse
+from django.test import TestCase
 from django.test.utils import override_settings
+from django.urls import reverse
 
 from debug_toolbar.panels.profiling import ProfilingPanel
 
@@ -77,6 +84,23 @@ def test_generate_stats_no_profiler(self):
         response = HttpResponse()
         self.assertIsNone(self.panel.generate_stats(self.request, response))
 
+    def test_generate_stats_signed_path(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            with self.settings(DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": tmpdir}):
+                response = self.panel.process_request(self.request)
+                self.panel.generate_stats(self.request, response)
+                path = self.panel.prof_file_path
+                self.assertTrue(path)
+                # Check that it's a valid signature
+                filename = signing.loads(path)
+                self.assertTrue(filename.endswith(".prof"))
+
+    def test_generate_stats_no_root(self):
+        response = self.panel.process_request(self.request)
+        self.panel.generate_stats(self.request, response)
+        # Should not have a path if root is not set
+        self.assertFalse(hasattr(self.panel, "prof_file_path"))
+
     def test_generate_stats_no_root_func(self):
         """
         Test generating stats using profiler without root function.
@@ -88,6 +112,20 @@ def test_generate_stats_no_root_func(self):
         self.panel.generate_stats(self.request, response)
         self.assertNotIn("func_list", self.panel.get_stats())
 
+    @mock.patch("cProfile.Profile.dump_stats")
+    def test_generate_stats_oserror(self, mock_dump_stats):
+        mock_dump_stats.side_effect = OSError
+        with tempfile.TemporaryDirectory() as tmpdir:
+            with self.settings(DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": tmpdir}):
+                response = self.panel.process_request(self.request)
+                with self.assertLogs(
+                    "debug_toolbar.panels.profiling", level="ERROR"
+                ) as cm:
+                    self.panel.generate_stats(self.request, response)
+                self.assertIn("Failed to dump profiling stats", cm.output[0])
+                # Ensure prof_file_path is not set/updated if dump fails
+                self.assertFalse(hasattr(self.panel, "prof_file_path"))
+
 
 @override_settings(
     DEBUG=True, DEBUG_TOOLBAR_PANELS=["debug_toolbar.panels.profiling.ProfilingPanel"]
@@ -103,3 +141,80 @@ def test_view_executed_once(self):
         with self.assertRaises(IntegrityError), transaction.atomic():
             response = self.client.get("/new_user/")
         self.assertEqual(User.objects.count(), 1)
+
+
+class ProfilingDownloadViewTestCase(TestCase):
+    def setUp(self):
+        self.root = tempfile.mkdtemp()
+        self.filename = "test.prof"
+        self.filepath = os.path.join(self.root, self.filename)
+        with open(self.filepath, "wb") as f:
+            f.write(b"data")
+        self.signed_path = signing.dumps(self.filename)
+
+    def tearDown(self):
+        shutil.rmtree(self.root)
+
+    def test_download_no_root_configured(self):
+        response = self.client.get(reverse("djdt:debug_toolbar_download_prof_file"))
+        self.assertEqual(response.status_code, 404)
+
+    def test_download_valid(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            response = self.client.get(url, {"path": self.signed_path})
+            self.assertEqual(response.status_code, 200)
+            self.assertEqual(list(response.streaming_content), [b"data"])
+
+    def test_download_invalid_signature(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            # Tamper with the signature
+            response = self.client.get(url, {"path": self.signed_path + "bad"})
+            self.assertEqual(response.status_code, 404)
+
+    def test_download_missing_file(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            # Sign a filename that doesn't exist
+            path = signing.dumps("missing.prof")
+            response = self.client.get(url, {"path": path})
+            self.assertEqual(response.status_code, 404)
+
+    def test_download_path_traversal(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            # Sign a filename that traverses safely out of the root
+            path = signing.dumps("../passwd")
+            response = self.client.get(url, {"path": path})
+            self.assertEqual(response.status_code, 404)
+
+    def test_download_absolute_path(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            # Create a file outside the root and try to access it via absolute path
+            with tempfile.NamedTemporaryFile() as tmp:
+                path = signing.dumps(tmp.name)
+                response = self.client.get(url, {"path": path})
+                self.assertEqual(response.status_code, 404)
+
+    def test_download_recursive_traversal(self):
+        with override_settings(
+            DEBUG_TOOLBAR_CONFIG={"PROFILER_PROFILE_ROOT": self.root}
+        ):
+            url = reverse("djdt:debug_toolbar_download_prof_file")
+            # Try a convoluted path that resolves outside
+            # e.g. root/subdir/../../outside_root
+            path = signing.dumps(os.path.join("subdir", "..", "..", "passwd"))
+            response = self.client.get(url, {"path": path})
+            self.assertEqual(response.status_code, 404)