fix(db_query): Disallow usage of certain functions in *_by #18981
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #18981 +/- ##
===========================================
- Coverage 63.55% 63.55% -0.01%
===========================================
Files 750 750
Lines 67622 67682 +60
Branches 6027 6027
===========================================
+ Hits 42978 43014 +36
- Misses 21229 21253 +24
Partials 3415 3415
Flags with carried forward coverage won't be shown. Click here to find out more. |
Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets
3a16f2a to
3834baf
Compare
3834baf to
b33bbdd
Compare
ankush
approved these changes
Nov 28, 2022
mergify bot
pushed a commit
that referenced
this pull request
Dec 6, 2022
* fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81)
mergify bot
pushed a commit
that referenced
this pull request
Dec 6, 2022
* fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81)
ankush
pushed a commit
that referenced
this pull request
Dec 6, 2022
…19135) * fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81) Co-authored-by: gavin <gavin18d@gmail.com>
ankush
pushed a commit
that referenced
this pull request
Dec 6, 2022
…19134) * fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81) Co-authored-by: gavin <gavin18d@gmail.com>
frappe-pr-bot
pushed a commit
that referenced
this pull request
Dec 6, 2022
# [14.18.0](v14.17.1...v14.18.0) (2022-12-06) ### Bug Fixes * attribute error on export of reports with additional columns ([#19105](#19105)) ([2b43d5b](2b43d5b)) * check for bad zip files during unzipping in file doctype ([#19058](#19058)) ([#19060](#19060)) ([96c928e](96c928e)) * **db_query:** Disallow usage of certain functions in *_by ([#18981](#18981)) ([#19135](#19135)) ([5376755](5376755)) * **db_query:** Space resilient sanitization (backport [#18996](#18996)) ([#19045](#19045)) ([ab8422f](ab8422f)) * disable signups by default (backport [#19114](#19114)) ([#19118](#19118)) ([3dd2775](3dd2775)) * do not escape undefined txt ([86267e9](86267e9)) * empty search shows `None` ([#19055](#19055)) ([#19057](#19057)) ([1cd0bc2](1cd0bc2)) * ensure correct parenttype when retrieving roles ([af55da9](af55da9)) * give more weight to sequential matches ([#19121](#19121)) ([#19122](#19122)) ([16f642f](16f642f)) * ignore empty/`None` scripts ([#19111](#19111)) ([#19113](#19113)) ([2a96757](2a96757)) * keep actions on right ([7d3e47b](7d3e47b)) * LDAP - check each email in list before creating user ([250f787](250f787)) * only check for special characters in fieldname ([#19061](#19061)) ([#19065](#19065)) ([de0facc](de0facc)), closes [#18965](#18965) * only System Manager can access Google Drive ([05be9ee](05be9ee)) * Optimize check field type is tab break if the doctype has a workflow ([#18858](#18858)) ([d9ce6c1](d9ce6c1)) * site creation using non-root users ([#19014](#19014)) ([#19043](#19043)) ([844e744](844e744)) * socketio spawn error ([#19070](#19070)) ([#19071](#19071)) ([75a54eb](75a54eb)) * type conversion for read receipt in communication email ([e0f7dd4](e0f7dd4)) * use permtype from passed arguments in has_web_form_permission when applying document permissions ([91c99d2](91c99d2)) * use webform doctype rather than allowing user to pass any doctype ([2be3178](2be3178)) * **UX:** freeze on delete ([#19094](#19094)) ([dd4791a](dd4791a)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([#19025](#19025)) ([#19041](#19041)) ([feed227](feed227)) * Widget control on dashboard chart breaks on smaller screens ([d6dedca](d6dedca)) ### Features * **workers:** many small RQ worker features (backport [#18995](#18995)) ([#19046](#19046)) ([37dbada](37dbada))
frappe-pr-bot
pushed a commit
that referenced
this pull request
Dec 7, 2022
## [13.45.3](v13.45.2...v13.45.3) (2022-12-07) ### Bug Fixes * **db_query:** Disallow usage of certain functions in *_by ([#18981](#18981)) ([#19134](#19134)) ([208d2e3](208d2e3)) * **db_query:** Space resilient sanitization (backport [#18996](#18996)) ([#19044](#19044)) ([a0b9bb4](a0b9bb4)) * disable signups by default (backport [#19114](#19114)) ([#19117](#19117)) ([1a67a41](1a67a41)) * empty search shows `None` ([#19055](#19055)) ([#19056](#19056)) ([7cd4dd4](7cd4dd4)) * ensure correct parenttype when retrieving roles ([59c61a9](59c61a9)) * ignore empty/`None` scripts ([#19111](#19111)) ([#19112](#19112)) ([2f21d24](2f21d24)) * keep actions on right ([86353aa](86353aa)) * LDAP - check each email in list before creating user ([f935383](f935383)) * merge conflict ([adcfdc7](adcfdc7)) * only check for special characters in fieldname (backport [#19061](#19061)) ([#19067](#19067)) ([f68f161](f68f161)), closes [#18965](#18965) [#18909](#18909) * only System Manager can access Google Drive ([dbf7287](dbf7287)) * **security:** validate web form permissions correctly (backport [#19088](#19088)) ([#19108](#19108)) ([553408e](553408e)) * type conversion for read receipt in communication email ([5c55536](5c55536)) * **UX:** freeze on delete (backport [#19094](#19094)) ([#19106](#19106)) ([851a803](851a803)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([#19025](#19025)) ([0102b53](0102b53)) * Widget control on dashboard chart breaks on smaller screens ([62ad75c](62ad75c))
SaiFi0102
pushed a commit
to ParaLogicTech/frappe
that referenced
this pull request
Dec 16, 2022
) (frappe#19135) * fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81) Co-authored-by: gavin <gavin18d@gmail.com>
SaiFi0102
pushed a commit
to ParaLogicTech/frappe
that referenced
this pull request
Dec 16, 2022
# [14.18.0](frappe/frappe@v14.17.1...v14.18.0) (2022-12-06) ### Bug Fixes * attribute error on export of reports with additional columns ([frappe#19105](frappe#19105)) ([2b43d5b](frappe@2b43d5b)) * check for bad zip files during unzipping in file doctype ([frappe#19058](frappe#19058)) ([frappe#19060](frappe#19060)) ([96c928e](frappe@96c928e)) * **db_query:** Disallow usage of certain functions in *_by ([frappe#18981](frappe#18981)) ([frappe#19135](frappe#19135)) ([5376755](frappe@5376755)) * **db_query:** Space resilient sanitization (backport [frappe#18996](frappe#18996)) ([frappe#19045](frappe#19045)) ([ab8422f](frappe@ab8422f)) * disable signups by default (backport [frappe#19114](frappe#19114)) ([frappe#19118](frappe#19118)) ([3dd2775](frappe@3dd2775)) * do not escape undefined txt ([86267e9](frappe@86267e9)) * empty search shows `None` ([frappe#19055](frappe#19055)) ([frappe#19057](frappe#19057)) ([1cd0bc2](frappe@1cd0bc2)) * ensure correct parenttype when retrieving roles ([af55da9](frappe@af55da9)) * give more weight to sequential matches ([frappe#19121](frappe#19121)) ([frappe#19122](frappe#19122)) ([16f642f](frappe@16f642f)) * ignore empty/`None` scripts ([frappe#19111](frappe#19111)) ([frappe#19113](frappe#19113)) ([2a96757](frappe@2a96757)) * keep actions on right ([7d3e47b](frappe@7d3e47b)) * LDAP - check each email in list before creating user ([250f787](frappe@250f787)) * only check for special characters in fieldname ([frappe#19061](frappe#19061)) ([frappe#19065](frappe#19065)) ([de0facc](frappe@de0facc)), closes [frappe#18965](frappe#18965) * only System Manager can access Google Drive ([05be9ee](frappe@05be9ee)) * Optimize check field type is tab break if the doctype has a workflow ([frappe#18858](frappe#18858)) ([d9ce6c1](frappe@d9ce6c1)) * site creation using non-root users ([frappe#19014](frappe#19014)) ([frappe#19043](frappe#19043)) ([844e744](frappe@844e744)) * socketio spawn error ([frappe#19070](frappe#19070)) ([frappe#19071](frappe#19071)) ([75a54eb](frappe@75a54eb)) * type conversion for read receipt in communication email ([e0f7dd4](frappe@e0f7dd4)) * use permtype from passed arguments in has_web_form_permission when applying document permissions ([91c99d2](frappe@91c99d2)) * use webform doctype rather than allowing user to pass any doctype ([2be3178](frappe@2be3178)) * **UX:** freeze on delete ([frappe#19094](frappe#19094)) ([dd4791a](frappe@dd4791a)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([frappe#19025](frappe#19025)) ([frappe#19041](frappe#19041)) ([feed227](frappe@feed227)) * Widget control on dashboard chart breaks on smaller screens ([d6dedca](frappe@d6dedca)) ### Features * **workers:** many small RQ worker features (backport [frappe#18995](frappe#18995)) ([frappe#19046](frappe#19046)) ([37dbada](frappe@37dbada))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.