Merge branch 'staging-fixes' into staging

2018-10-31 10:46:24 +00:00 · 2018-10-31 10:46:24 +00:00 · ca72c772f1
commit ca72c772f1
parent 334859a334 0fb1df0964
4 changed files with 24 additions and 4 deletions
--- a/frappe/init.py
+++ b/frappe/init.py
@ -17,7 +17,7 @@ from faker import Faker
 from .exceptions import *
 from .utils.jinja import (get_jenv, get_template, render_template, get_email_from_template, get_jloader)

-__version__ = '10.1.57'
+__version__ = '10.1.58'
 __title__ = "Frappe Framework"

 local = Local()
--- a/frappe/hooks.py
+++ b/frappe/hooks.py
@ -12,7 +12,7 @@ source_link = "https://github.com/frappe/frappe"
 app_license = "MIT"

 develop_version = '11.x.x-develop'
-staging_version = '11.0.3-beta.17'
+staging_version = '11.0.3-beta.18'

 app_email = "info@frappe.io"

--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@ -191,13 +191,21 @@ class DatabaseQuery(object):
 		'''

 		sub_query_regex = re.compile("^.*[,();].*")
-		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case']
+		blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case',
+			'from', 'group', 'order', 'by']
 		blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce',
 			'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user',
 			'system_user', 'user', 'version']

 		def _raise_exception():
-			frappe.throw(_('Cannot use sub-query or function in fields'), frappe.DataError)
+			frappe.throw(_('Use of sub-query or function is restricted'), frappe.DataError)
+
+		def _is_query(field):
+			if re.compile("^(select|delete|update|drop|create)\s").match(field):
+				_raise_exception()
+
+			elif re.compile("\s*[a-zA-z]*\s*( from | group by | order by | where | join )").match(field):
+				_raise_exception()

 		for field in self.fields:
 			if sub_query_regex.match(field):
@ -216,6 +224,9 @@ class DatabaseQuery(object):
 			if re.compile('[a-zA-Z]+\s*,').match(field):
 				_raise_exception()

+			_is_query(field)
+
+
 	def extract_tables(self):
 		"""extract tables from fields"""
 		self.tables = ['`tab' + self.doctype + '`']
--- a/frappe/tests/test_db_query.py
+++ b/frappe/tests/test_db_query.py
@ -124,6 +124,15 @@ class TestReportview(unittest.TestCase):
 		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
 			fields=["name", "issingle,'"],limit_start=0, limit_page_length=1)

+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "select * from tabSessions"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from --"],limit_start=0, limit_page_length=1)
+
+		self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute,
+			fields=["name", "issingle from tabDocType order by 2 --"],limit_start=0, limit_page_length=1)
+
 		data = DatabaseQuery("DocType").execute(fields=["name", "issingle", "count(name)"],
 			limit_start=0, limit_page_length=1)
 		self.assertTrue('count(name)' in data[0])