vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix: dont allow partial backticks

Browse source 
- add tests
This commit is contained in:
Faris Ansari 2025-05-23 21:46:19 +05:30
parent 3f65806a0b
commit 840e7991ce
2 changed files with 14 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
frappe/database/query.py
View file

@ -29,12 +29,12 @@ TABLE_NAME_PATTERN = re.compile(r"^[\w -]*$", flags=re.ASCII)
# Pattern to validate field names in SELECT:
# Allows: name, `name`, name as alias, `name` as alias, `table name`.`name`, `table name`.`name` as alias, table.name, table.name as alias
ALLOWED_FIELD_PATTERN = re.compile(r"^(?:`?[\w\s-]+`?\.)?(`?\w+`?|\w+)(?:\s+as\s+\w+)?$", flags=re.ASCII)
ALLOWED_FIELD_PATTERN = re.compile(r"^(?:(`[\w\s-]+`|\w+)\.)?(`\w+`|\w+)(?:\s+as\s+\w+)?$", flags=re.ASCII)
# Pattern to validate field names used in various SQL clauses (WHERE, GROUP BY, ORDER BY):
# Allows simple field names, backticked names, and table-qualified names (e.g., name, `name`, `table`.`name`, table.name)
# Does NOT allow aliases ('as alias') or functions.
ALLOWED_SQL_FIELD_PATTERN = re.compile(r"^(?:`?\w+`?\.)?(`?\w+`?|\w+)$", flags=re.ASCII)
ALLOWED_SQL_FIELD_PATTERN = re.compile(r"^(?:(`\w+`|\w+)\.)?(`\w+`|\w+)$", flags=re.ASCII)
# Regex to parse field names:
# Group 1: Optional quote for table name
@ -1331,6 +1331,3 @@ class CombinedRawCriterion(RawCriterion):
left_sql = self.left.get_sql(**kwargs) if hasattr(self.left, "get_sql") else str(self.left)
right_sql = self.right.get_sql(**kwargs) if hasattr(self.right, "get_sql") else str(self.right)
return f"({left_sql}) {self.operator} ({right_sql})"
left_sql = self.left.get_sql(**kwargs) if hasattr(self.left, "get_sql") else str(self.left)
right_sql = self.right.get_sql(**kwargs) if hasattr(self.right, "get_sql") else str(self.right)
return f"({left_sql}) {self.operator} ({right_sql})"

12
frappe/tests/test_query.py
View file

@ -150,6 +150,7 @@ class TestQuery(IntegrationTestCase):
"tabUser.name as alias",
"`tabUser`.`name` as alias",
"*",
"`tabHas Role`.`name`",
]
invalid_fields = [
"name; DROP TABLE users",
@ -169,6 +170,12 @@ class TestQuery(IntegrationTestCase):
"SUM(amount) as total",
"COUNT(name) as alias; SELECT 1",
"COUNT(name;)",
"`name",
"name`",
"`tabUser.name`",
"tabUser.`name",
"tabUser`.`name`",
"tab`User.name",
]
for field in valid_fields:
@ -208,6 +215,11 @@ class TestQuery(IntegrationTestCase):
"`table`.`invalid-field`",
"field with space",
"`field with space`",
"`name`",
"`name",
"name`",
"tabUser.`name`",
"`tabUser.name`",
]
for field in valid_fields: