From ec615fe9aacca91e773c9eae676b2c4ed45e8eaf Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Fri, 12 Dec 2025 13:50:12 +0530
Subject: [PATCH] fix(goal): improve validation (#35186)

---
 frappe/utils/goal.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/frappe/utils/goal.py b/frappe/utils/goal.py
index 3ba7c128ba..b875561a40 100644
--- a/frappe/utils/goal.py
+++ b/frappe/utils/goal.py
@@ -20,6 +20,17 @@ def get_monthly_results(
 ) -> dict:
 	"""Get monthly aggregation values for given field of doctype"""
 
+	# Only allow some valid aggregations
+	if aggregation.lower() not in {"sum", "avg", "count", "min", "max"}:
+		frappe.throw(f"Invalid aggregation type: {aggregation}")
+
+	# Check that the goal and date fields exist on the chosen doctype
+	valid_fields = frappe.get_meta(goal_doctype).get_valid_fields()
+	if goal_field not in valid_fields:
+		frappe.throw(f"Invalid goal field: {goal_field}")
+	if date_col not in valid_fields:
+		frappe.throw(f"Invalid date field: {date_col}")
+
 	Table = DocType(goal_doctype)
 	date_format = "%m-%Y" if frappe.db.db_type != "postgres" else "MM-YYYY"
 
@@ -32,6 +43,7 @@ def get_monthly_results(
 			],
 			filters=filters,
 			validate_filters=True,
+			ignore_permissions=False,
 		)
 		.groupby("month_year")
 		.run()