Merge branch 'hotfix'

2018-10-31 10:36:54 +00:00 · 2018-10-31 10:36:54 +00:00 · a26dd436f5
commit a26dd436f5
parent acd190cf9e 977b5a118e
3 changed files with 23 additions and 3 deletions
--- a/frappe/init.py
+++ b/frappe/init.py
@ -14,7 +14,7 @@ import os, sys, importlib, inspect, json
 from .exceptions import *
 from .utils.jinja import get_jenv, get_template, render_template, get_email_from_template

-__version__ = '10.1.57'
+__version__ = '10.1.58'
 __title__ = "Frappe Framework"

 local = Local()
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@ -192,13 +192,21 @@ class DatabaseQuery(object):
 		'''

 		sub_query_regex = re.compile("^.*[,();].*")
-		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case']
+		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case',
+			'from', 'group', 'order', 'by']
 		blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce',
 			'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user',
 			'system_user', 'user', 'version']

 		def _raise_exception():
-			frappe.throw(_('Cannot use sub-query or function in fields'), frappe.DataError)
+			frappe.throw(_('Use of sub-query or function is restricted'), frappe.DataError)
+
+		def _is_query(field):
+			if re.compile("^(select|delete|update|drop|create)\s").match(field):
+				_raise_exception()
+
+			elif re.compile("\s*[a-zA-z]*\s*( from | group by | order by | where | join )").match(field):
+				_raise_exception()

 		for field in self.fields:
 			if sub_query_regex.match(field):
@ -217,6 +225,9 @@ class DatabaseQuery(object):
 			if re.compile('[a-zA-Z]+\s*,').match(field):
 				_raise_exception()

+			_is_query(field)
+
+
 	def extract_tables(self):
 		"""extract tables from fields"""
 		self.tables = ['`tab' + self.doctype + '`']
--- a/frappe/tests/test_db_query.py
+++ b/frappe/tests/test_db_query.py
@ -123,6 +123,15 @@ class TestReportview(unittest.TestCase):
 		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
 			fields=["name", "issingle,'"],limit_start=0, limit_page_length=1)

+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "select * from tabSessions"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from --"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from tabDocType order by 2 --"],limit_start=0, limit_page_length=1)
+
 		data = DatabaseQuery("DocType").execute(fields=["name", "issingle", "count(name)"],
 			limit_start=0, limit_page_length=1)
 		self.assertTrue('count(name)' in data[0])