From dffd78d3fca385dc4e5ee536beae93099746cdff Mon Sep 17 00:00:00 2001
From: Deepesh Garg <deepeshgarg6@gmail.com>
Date: Mon, 27 Sep 2021 12:02:31 +0530
Subject: [PATCH] fix: Validate server script for doc events

---
 frappe/core/doctype/server_script/server_script.py |  9 +++++++++
 frappe/utils/safe_exec.py                          | 10 ++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/frappe/core/doctype/server_script/server_script.py b/frappe/core/doctype/server_script/server_script.py
index 79fe7a9140..8aa2dd0bae 100644
--- a/frappe/core/doctype/server_script/server_script.py
+++ b/frappe/core/doctype/server_script/server_script.py
@@ -11,6 +11,8 @@ from frappe.model.document import Document
 from frappe.utils.safe_exec import get_safe_globals, safe_exec, NamespaceDict
 from frappe import _
 
+import re
+
 
 class ServerScript(Document):
 	def validate(self):
@@ -94,8 +96,15 @@ class ServerScript(Document):
 		Args:
 			doc (Document): Executes script with for a certain document's events
 		"""
+		self.validate_script_for_doc_events()
 		safe_exec(self.script, _locals={"doc": doc})
 
+	def validate_script_for_doc_events(self):
+		for line in self.script.splitlines():
+			line = line.strip()
+			if not line.startswith('#') and "frappe.db.commit()" in line:
+				frappe.throw(_("Commit cannot be used in DocType Event server script"))
+
 	def execute_scheduled_method(self):
 		"""Specific to Scheduled Jobs via Server Scripts
 
diff --git a/frappe/utils/safe_exec.py b/frappe/utils/safe_exec.py
index 1c09a17a66..6f9398745e 100644
--- a/frappe/utils/safe_exec.py
+++ b/frappe/utils/safe_exec.py
@@ -116,8 +116,7 @@ def get_safe_globals():
 			socketio_port=frappe.conf.socketio_port,
 			get_hooks=frappe.get_hooks,
 			sanitize_html=frappe.utils.sanitize_html,
-			log_error=frappe.log_error,
-			cache=frappe.cache 
+			log_error=frappe.log_error
 		),
 		FrappeClient=FrappeClient,
 		style=frappe._dict(
@@ -157,6 +156,13 @@ def get_safe_globals():
 			commit = frappe.db.commit
 		)
 
+		out.frappe.cache = NamespaceDict(
+			get_value = frappe.cache().get_value,
+			set_value = frappe.cache().set_value,
+			hset = frappe.cache().hset,
+			hget = frappe.cache().hget
+		)
+
 	if frappe.response:
 		out.frappe.response = frappe.response