From a1e68b6fd5617b70ba4c163ac1b84851fbd17aeb Mon Sep 17 00:00:00 2001 From: Saurabh Date: Wed, 31 Oct 2018 14:26:22 +0530 Subject: [PATCH 1/3] [fix] potential sql injection by sanitizing fields parameter --- frappe/model/db_query.py | 15 +++++++++++++-- frappe/tests/test_db_query.py | 9 +++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index 9413980506..1d241db443 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -192,13 +192,21 @@ class DatabaseQuery(object): ''' sub_query_regex = re.compile("^.*[,();].*") - blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case'] + blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', + 'from', 'group', 'order', 'by'] blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce', 'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user', 'system_user', 'user', 'version'] def _raise_exception(): - frappe.throw(_('Cannot use sub-query or function in fields'), frappe.DataError) + frappe.throw(_('Use of sub-query or function is restricted'), frappe.DataError) + + def _is_query(field): + if re.compile("^(select|delete|update|drop|create)\s").match(field): + _raise_exception() + + elif re.compile("\s*[a-zA-z]*\s*( from | group by | order by | where | join )").match(field): + _raise_exception() for field in self.fields: if sub_query_regex.match(field): @@ -217,6 +225,9 @@ class DatabaseQuery(object): if re.compile('[a-zA-Z]+\s*,').match(field): _raise_exception() + _is_query(field) + + def extract_tables(self): """extract tables from fields""" self.tables = ['`tab' + self.doctype + '`'] diff --git a/frappe/tests/test_db_query.py b/frappe/tests/test_db_query.py index 28b608f08e..d07dfc4f07 100644 --- a/frappe/tests/test_db_query.py +++ b/frappe/tests/test_db_query.py @@ -123,6 +123,15 @@ class TestReportview(unittest.TestCase): self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute, fields=["name", "issingle,'"],limit_start=0, limit_page_length=1) + self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute, + fields=["name", "select * from tabSessions"],limit_start=0, limit_page_length=1) + + self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute, + fields=["name", "issingle from --"],limit_start=0, limit_page_length=1) + + self.assertRaises(frappe.DataError, DatabaseQuery("DocType").execute, + fields=["name", "issingle from tabDocType order by 2 --"],limit_start=0, limit_page_length=1) + data = DatabaseQuery("DocType").execute(fields=["name", "issingle", "count(name)"], limit_start=0, limit_page_length=1) self.assertTrue('count(name)' in data[0]) From 977b5a118ecb80b8d1db9c1b900d223a95a8eecf Mon Sep 17 00:00:00 2001 From: Ameya Shenoy Date: Wed, 31 Oct 2018 10:36:54 +0000 Subject: [PATCH 2/3] bumped to version 10.1.58 --- frappe/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/__init__.py b/frappe/__init__.py index f16c05270e..181f236692 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -14,7 +14,7 @@ import os, sys, importlib, inspect, json from .exceptions import * from .utils.jinja import get_jenv, get_template, render_template, get_email_from_template -__version__ = '10.1.57' +__version__ = '10.1.58' __title__ = "Frappe Framework" local = Local() From 0fb1df0964f7c2f97338c1c9bff22957ebad9aa4 Mon Sep 17 00:00:00 2001 From: Ameya Shenoy Date: Wed, 31 Oct 2018 10:46:24 +0000 Subject: [PATCH 3/3] bumped to version 11.0.3-beta.18 --- frappe/hooks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/hooks.py b/frappe/hooks.py index c756f9098d..965d3363ca 100644 --- a/frappe/hooks.py +++ b/frappe/hooks.py @@ -12,7 +12,7 @@ source_link = "https://github.com/frappe/frappe" app_license = "MIT" develop_version = '11.x.x-develop' -staging_version = '11.0.3-beta.17' +staging_version = '11.0.3-beta.18' app_email = "info@frappe.io"