From 8d62e4de01f4e29f2b7b212a9d9f1365af1f82bd Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 9 Jul 2025 17:39:53 +0530
Subject: [PATCH 1/3] Revert "fix(db_query): don't allow unclosed quotes"

This reverts commit 6e6150d193cc9c1256b3627fc388a33bb93e7e9b.
---
 frappe/model/db_query.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index afeefadbab..680524587b 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -1129,8 +1129,6 @@ from {tables}
 			frappe.throw(_("Illegal SQL Query"))
 
 		for field in parameters.split(","):
-			if field.count('"') % 2 or field.count("'") % 2 or field.count("`") % 2:
-				frappe.throw(_("Invalid field name: {0}").format(field))
 			field = field.strip()
 			full_field_name = "." in field and field.startswith("`tab")
 

From 0934d5117dc2dfeccaac6f902fe3aa8c2f5d2666 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 9 Jul 2025 17:46:30 +0530
Subject: [PATCH 2/3] fix: strengthen subquery check

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/model/db_query.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 680524587b..8e6240bafa 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -1117,17 +1117,24 @@ from {tables}
 		if not parameters:
 			return
 
-		blacklisted_sql_functions = {
-			"sleep",
-		}
 		_lower = parameters.lower()
 
-		if "select" in _lower and "from" in _lower:
-			frappe.throw(_("Cannot use sub-query in order by"))
-
 		if ORDER_GROUP_PATTERN.match(_lower):
 			frappe.throw(_("Illegal SQL Query"))
 
+		subquery_indicators = {
+			r"union",
+			r"intersect",
+			r"select\b.*\bfrom",
+		}
+
+		if any(re.search("\b" + pattern + "\b", _lower) for pattern in subquery_indicators):
+			frappe.throw(_("Cannot use sub-query here."))
+
+		blacklisted_sql_functions = {
+			"sleep",
+		}
+
 		for field in parameters.split(","):
 			field = field.strip()
 			full_field_name = "." in field and field.startswith("`tab")
@@ -1141,7 +1148,7 @@ from {tables}
 
 			# Check for SQL function using regex with word boundaries and optional whitespace before parenthesis
 			for func in blacklisted_sql_functions:
-				if re.search(r"\b" + re.escape(func) + r"\s*\(", field.lower()):
+				if re.search(r"\b" + re.escape(func) + r"\W*\(", field.lower()):
 					frappe.throw(_("Cannot use {0} in order/group by").format(field))
 
 	def add_limit(self):

From ce4f7f741883692602b86fa02339059167a9c25f Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Tue, 15 Jul 2025 15:51:13 +0530
Subject: [PATCH 3/3] chore: extend function blacklist

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/model/db_query.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 8e6240bafa..fcb38a5ea2 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -1133,6 +1133,14 @@ from {tables}
 
 		blacklisted_sql_functions = {
 			"sleep",
+			"benchmark",
+			"extractvalue",
+			"database",
+			"user",
+			"current_user",
+			"version",
+			"substr",
+			"substring",
 		}
 
 		for field in parameters.split(","):