vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge pull request #33100 from akhilnarang/fix-orderby-function-check

Browse source 
fix: tighten function check in `validate_order_by_and_group_by`
This commit is contained in:
Akhil Narang 2025-07-07 18:19:23 +05:30 committed by GitHub
commit c895e8b387
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
frappe/model/db_query.py
View file

@ -1129,8 +1129,9 @@ from {tables}
frappe.throw(_("Illegal SQL Query"))
for field in parameters.split(","):
if field.count('"') % 2 or field.count("'") % 2 or field.count("`") % 2:
frappe.throw(_("Invalid field name: {0}").format(field))
field = field.strip()
function = field.split("(", 1)[0].rstrip().lower()
full_field_name = "." in field and field.startswith("`tab")
if full_field_name:
@ -1140,9 +1141,10 @@ from {tables}
tbl = tbl[4:-1]
frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl))
# Check if the function is used anywhere in the field
if any(func in function for func in blacklisted_sql_functions):
frappe.throw(_("Cannot use {0} in order/group by").format(function))
# Check for SQL function using regex with word boundaries and optional whitespace before parenthesis
for func in blacklisted_sql_functions:
if re.search(r"\b" + re.escape(func) + r"\s*\(", field.lower()):
frappe.throw(_("Cannot use {0} in order/group by").format(field))
def add_limit(self):
if self.limit_page_length: