fix(security): Sanitize fields list, group_by and order_by clause to prevent SQLi

adityahase · adityahase · commit bc96aa5d04f4 · 2019-07-30T12:53:11.000+05:30
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
@@ -111,8 +111,12 @@ def build_and_run(self):
 		if self.distinct:
 			args.fields = 'distinct ' + args.fields
 
-		query = """select %(fields)s from %(tables)s %(conditions)s
-			%(group_by)s %(order_by)s %(limit)s""" % args
+		query = """select %(fields)s
+			from %(tables)s
+			%(conditions)s
+			%(group_by)s
+			%(order_by)s
+			%(limit)s""" % args
 
 		return frappe.db.sql(query, as_dict=not self.as_list, debug=self.debug, update=self.update)
 
@@ -234,6 +238,11 @@ def _is_query(field):
 
 			_is_query(field)
 
+			if re.compile(r".*/\*.*").match(field):
+				frappe.throw(_('Illegal SQL Query'))
+
+			if re.compile(r".*\s(union).*\s").match(field.lower()):
+				frappe.throw(_('Illegal SQL Query'))
 
 	def extract_tables(self):
 		"""extract tables from fields"""
@@ -635,6 +644,8 @@ def validate_order_by_and_group_by(self, parameters):
 		if 'select' in _lower and ' from ' in _lower:
 			frappe.throw(_('Cannot use sub-query in order by'))
 
+		if re.compile(r".*[^a-z0-9-_ ,`'\"\.\(\)].*").match(_lower):
+			frappe.throw(_('Illegal SQL Query'))
 
 		for field in parameters.split(","):
 			if "." in field and field.strip().startswith("`tab"):
