From 41a13a0b077f7790cd84b4c75b8a2d896a3c9ebd Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Wed, 25 Jun 2025 18:22:20 +0530 Subject: [PATCH] fix: tighten function check in `validate_order_by_and_group_by` Signed-off-by: Akhil Narang --- frappe/model/db_query.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index d264d69957..680524587b 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -1130,7 +1130,6 @@ from {tables} for field in parameters.split(","): field = field.strip() - function = field.split("(", 1)[0].rstrip().lower() full_field_name = "." in field and field.startswith("`tab") if full_field_name: @@ -1140,9 +1139,10 @@ from {tables} tbl = tbl[4:-1] frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl)) - # Check if the function is used anywhere in the field - if any(func in function for func in blacklisted_sql_functions): - frappe.throw(_("Cannot use {0} in order/group by").format(function)) + # Check for SQL function using regex with word boundaries and optional whitespace before parenthesis + for func in blacklisted_sql_functions: + if re.search(r"\b" + re.escape(func) + r"\s*\(", field.lower()): + frappe.throw(_("Cannot use {0} in order/group by").format(field)) def add_limit(self): if self.limit_page_length: