vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix: tighten function check in validate_order_by_and_group_by

Browse source 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
This commit is contained in:
Akhil Narang 2025-06-25 18:22:20 +05:30
parent 57067b9af7
commit 41a13a0b07
No known key found for this signature in database
GPG key ID: 9DCC61E211BF645F
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
frappe/model/db_query.py
View file

@ -1130,7 +1130,6 @@ from {tables}
for field in parameters.split(","):
field = field.strip()
function = field.split("(", 1)[0].rstrip().lower()
full_field_name = "." in field and field.startswith("`tab")
if full_field_name:
@ -1140,9 +1139,10 @@ from {tables}
tbl = tbl[4:-1]
frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl))
# Check if the function is used anywhere in the field
if any(func in function for func in blacklisted_sql_functions):
frappe.throw(_("Cannot use {0} in order/group by").format(function))
# Check for SQL function using regex with word boundaries and optional whitespace before parenthesis
for func in blacklisted_sql_functions:
if re.search(r"\b" + re.escape(func) + r"\s*\(", field.lower()):
frappe.throw(_("Cannot use {0} in order/group by").format(field))
def add_limit(self):
if self.limit_page_length: