vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
43715 commits 1 branch 0 tags 587 MiB
Commit graph

132 commits

Author SHA1 Message Date
Ankush Menat
e152ebc0a3 chore: typo 2023-09-18 20:16:27 +05:30
gavin
c3efddd380
fix: Allow DB Callback Managers in Safe Exec (#22302) 2023-09-05 10:38:14 +05:30
Ankush Menat
e9585e9ce6 fix: remove validation on text code 
These can overvalidate e.g. "Frappe information technology" contains "format".

Restricted python anyways validates these attr access at runtime, so no
need to validate this on code.
 2023-08-31 11:03:28 +05:30
Ankush Menat
1390b972a8 fix(DX): let users know that server scripts are disabled 2023-08-23 14:49:05 +05:30
Ankush Menat
6e0b522ae3 refactor!: Disable server scripts by default 
- Move the config to bench level and not site level because, server
  script "threat model" requires consent from a bench owner and not
  individual site.
- While this is a breaking change which people may not like, we believe
  it's essential to improve security model of Frappe.
 2023-08-23 14:49:05 +05:30
Ankush Menat
8ddde056a0 fix: dont allow NamedExpr in safe_eval 2023-08-21 12:42:21 +05:30
Ankush Menat
eede56d5df fix: dont allow writes to live objects 2023-08-21 12:04:55 +05:30
Ankush Menat
f449262050 fix: allow dict access and unpacks 2023-08-21 11:59:53 +05:30
Ankush Menat
14b62d7ff1 fix: correct getattr implementation for safe_eval 2023-08-21 11:59:53 +05:30
Ankush Menat
3531f58b54 refactor: unify safe_exec and safe_eval code 
A lot of duplication was present for this code.
 2023-08-21 11:59:53 +05:30
Ankush Menat
4d5a945861
refactor: reduce duplication in unsafe attr checks (#22033) 2023-08-13 18:23:41 +05:30
Ankush Menat
ce1355dab8
fix: block format attributes (#22028) 2023-08-12 22:12:30 +05:30
Michelle Alva
fd2efdb0e1
chore: whitelisted typo (#21930) 2023-08-05 20:15:55 +05:30
Ankush Menat
7ee85758b1
fix(console): dont commit when exception is raised and unconditionally check query (#21850) 
* fix(console): unconditionally check query type

* fix(console): don't commit when exception occurs
 2023-07-28 18:07:08 +05:30
Nabin Hait
94ccdd628a fix: added get_quarter_ending function in safe_exec 2023-06-22 16:18:52 +05:30
Ankush Menat
3005e66e45 refactor!: Drop previously deprecated code 2023-06-13 16:00:43 +05:30
Raffael Meyer
036e1c94cd
feat!: remove deprecated timezone utils (#20255) 2023-03-06 19:56:57 +05:30
barredterra
c099b67165 feat: add new timezone utils to safe_exec 2023-03-06 13:07:24 +01:00
barredterra
3f87ffe446 Revert "refactor: rename timezone utils in safe_exec" 
This reverts commit d1ccfc91b8.
 2023-03-06 13:04:20 +01:00
barredterra
d1ccfc91b8 refactor: rename timezone utils in safe_exec 2023-03-05 16:17:44 +01:00
Ankush Menat
b11793ab02 fix: set filename explicitly for safe_exec 2022-12-07 16:34:27 +05:30
Sagar Vora
5f2cc8ec79 chore: keep previous order for easy backport 2022-12-07 14:09:02 +05:30
Sagar Vora
0c220169da chore: reorder pylint disable 2022-12-07 13:50:59 +05:30
Sagar Vora
7d47d10692 fix: override RestrictedPython transformer to allow _dict, revert frappe.as_dict 2022-12-07 13:45:28 +05:30
Sagar Vora
f2e1dbe7eb fix: restore _dict, used in Jinja code 2022-12-07 13:13:27 +05:30
HarryPaulo
f25358ad63
fix: "_dict" is an invalid attribute name because it starts with "_" (#19010) 
* fix: "_dict" is an invalid attribute name because it starts with "_"

* chore: move to frappe namespace
 2022-11-29 11:43:23 +05:30
Ankush Menat
668a730788 fix: avoid patching QB if already patched 2022-11-11 16:38:05 +05:30
Ankush Menat
44a5bdc3f1
fix: ignore internal methods (#18784) 2022-11-06 19:18:30 +05:30
Ankush Menat
e02b90cd5b
fix: dont allow reading attributes of unsafe objects (#18706) 2022-11-06 17:33:02 +05:30
Athul Cyriac Ajay
31a37ed671
chore: Add make_put_requests method for Server Scripts (#18128) 2022-09-14 15:54:15 +05:30
barredterra
d0b753a25d refactor: move lang into frappe namespace 2022-09-01 17:12:58 +02:00
barredterra
836fd6ef78 feat: add lang to safe globals 2022-09-01 16:53:20 +02:00
phot0n
cd2664bf99 chore: remove get_payment_gateway_controller safe global 2022-07-26 23:18:23 +05:30
Ankush Menat
a98e47150f feat(tiny): frappe.log -> frappe.log for server scripts 
This it already whitelisted but in global scope.

[skip ci]
 2022-07-18 16:27:28 +05:30
Suraj Shetty
d4166dbe20 refactor: Replace html2text with markdownify 2022-07-06 08:23:14 +05:30
Ankush Menat
81b37cb7d2
refactor: clean up code to py310 supported features (#17367) 
refactor: clean up code to py39+ supported syntax

- f-strings instead of format
- latest typing support instead of pre 3.9 TitleCase
- remove UTF-8 declarations.
- many more changes

Powered by https://github.com/asottile/pyupgrade/ + manual cleanups
 2022-07-01 11:51:05 +05:30
Abhishek M
378149375d
fix: Passing dev server variable to jenv globals correctly (#16843) 
Encountered the same issue during a fresh setup: https://discuss.erpnext.com/t/v13-fresh-install-develop-socket-io-using-wrong-port/74562

The problem originates from the `socketio_client.js` file.  During development, the `socket.io` client by default sends request to port 8000 but ideally it should've been 9000 (that's where it's actually running) since the latter is defined in `frappe.boot.socketio_port`. This is happening because the `jenv` variable `dev_server` is always being returned as 0.

In [this](0f7d8e7903/frappe/__init__.py (L237)) line, we are seting `frappe.local.dev_server` but in safe exec we are using `frappe._dev_server` as the source to populate the variable `dev_server` which eventually gets pushed to the `app.html` via `jinja`. (`frappe._dev_server` evaluates to `None`)

In `socketio_client`, we are using [this](0f7d8e7903/frappe/public/js/frappe/socketio_client.js (L112)) variable as a flag to decide whether or not `frappe.boot.socketio_port` should be the port that the `socket.io` client connects to.
 2022-05-18 09:19:24 +00:00
Saurabh
e2d3d1d0be
feat: provision to handle payment authorization event in server script for custom documents (#16712) 
Currently, there is no provision to handle payment authorization events via server script. So it's not possible if a user wants to link payments against custom documents. 

Thus adding a provision in server script 
- Setup checkout for custom doc 
<img width="1299" alt="Screenshot 2022-03-11 at 2 44 19 PM" src="https://user-images.githubusercontent.com/3784093/157838010-989f6009-83d6-4329-92a6-bb2b6b38438b.png">

- Handle payment callback
<img width="1051" alt="Screenshot 2022-04-22 at 11 28 19 AM" src="https://user-images.githubusercontent.com/3784093/164612613-d321edb3-c7f8-4063-b809-8ae5fe46ee66.png">

## Documentation
https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script/edit?wiki_page_patch=bbed0fcd9a
 2022-04-26 10:02:30 +00:00
Gavin D'souza
ab1f893e41 feat: Add get_mapped_doc in safe_exec under frappe 2022-04-21 16:52:06 +05:30
Gavin D'souza
9823e51512 feat(safe_exec): Allow new_doc, get_last_doc, rename_doc, delte_doc 
* rename_doc points to the unwhitelisted method which supports
  ignore_permissions check
* Allowed other safe utils for better DX
 2022-04-21 16:00:24 +05:30
Deepesh Garg
2af2b80ba6
feat: Expose add index in exec_globals (#16605) 
* feat: Expose add index in exec_globals

* fix: Linting issues
 2022-04-14 18:59:39 +05:30
Suraj Shetty
c0c5b2ebdd
style: format all python files using black (#16453) 
Co-authored-by: Frappe Bot <developers@frappe.io>
 2022-04-12 10:59:25 +05:30
Ankush Menat
b029b255fe refactor: code duplication for sql whitelisting 2022-03-24 17:49:28 +05:30
Sagar Vora
4c403333c4 fix: remove unused flag in_setup_help 2022-02-16 16:02:37 +05:30
Sagar Vora
01f4ba2061 feat: frappe.enqueue and frappe.call for server scripts 2021-12-22 13:21:13 +05:30
Faris Ansari
c6f9920795 fix: removing map filter 
these can potentially lead to security issues, avoiding for now
 2021-12-16 20:31:50 +05:30
Faris Ansari
0bc3ff794b fix: remove attr helpers and type 
these can potentially lead to security issues, avoiding for now
 2021-12-16 16:21:05 +05:30
Faris Ansari
7c8659388d fix(server-script): add common python builtins 2021-12-16 12:19:08 +05:30
Aradhya
69108c4c86 Merge branch 'develop' of github.com:Aradhya-Tripathi/frappe into at/aggregations 2021-11-27 17:52:30 +05:30
Faris Ansari
7e35dc4913 fix: add frappe.as_json for safe_exec scripts 2021-11-26 16:30:34 +05:30