From 4d9be26ada8669b97ea4a5cfc6bfcabaedf0976c Mon Sep 17 00:00:00 2001 From: Daizy Modi Date: Wed, 14 Dec 2022 16:05:56 +0530 Subject: [PATCH] fix: use stricter regex for `sanitize_searchfield` --- frappe/desk/search.py | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/frappe/desk/search.py b/frappe/desk/search.py index 4843219179..446f842a0b 100644 --- a/frappe/desk/search.py +++ b/frappe/desk/search.py @@ -7,45 +7,18 @@ import re import frappe from frappe import _, is_whitelisted +from frappe.database.schema import SPECIAL_CHAR_PATTERN from frappe.permissions import has_permission from frappe.utils import cint, cstr, unique def sanitize_searchfield(searchfield): - blacklisted_keywords = ["select", "delete", "drop", "update", "case", "and", "or", "like"] + if not searchfield: + return - def _raise_exception(searchfield): + if SPECIAL_CHAR_PATTERN.search(searchfield): frappe.throw(_("Invalid Search Field {0}").format(searchfield), frappe.DataError) - if len(searchfield) == 1: - # do not allow special characters to pass as searchfields - regex = re.compile(r'^.*[=;*,\'"$\-+%#@()_].*') - if regex.match(searchfield): - _raise_exception(searchfield) - - if len(searchfield) >= 3: - - # to avoid 1=1 - if "=" in searchfield: - _raise_exception(searchfield) - - # in mysql -- is used for commenting the query - elif " --" in searchfield: - _raise_exception(searchfield) - - # to avoid and, or and like - elif any(f" {keyword} " in searchfield.split() for keyword in blacklisted_keywords): - _raise_exception(searchfield) - - # to avoid select, delete, drop, update and case - elif any(keyword in searchfield.split() for keyword in blacklisted_keywords): - _raise_exception(searchfield) - - else: - regex = re.compile(r'^.*[=;*,\'"$\-+%#@()].*') - if any(regex.match(f) for f in searchfield.split()): - _raise_exception(searchfield) - # this is called by the Link Field @frappe.whitelist()