fix(db_query): Space resilient sanitization #18996
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #18996 +/- ##
===========================================
+ Coverage 63.55% 63.59% +0.03%
===========================================
Files 750 750
Lines 67622 67865 +243
Branches 6027 6027
===========================================
+ Hits 42978 43159 +181
- Misses 21229 21291 +62
Partials 3415 3415
Flags with carried forward coverage won't be shown. Click here to find out more. |
ankush
reviewed
Nov 25, 2022
Co-authored-by: Ankush Menat <ankushmenat@gmail.com>
ankush
approved these changes
Nov 25, 2022
ankush
added
defer backport
This was referenced Nov 29, 2022
ankush
pushed a commit
that referenced
this pull request
Nov 30, 2022
* fix(db_query): Space resilient matching (cherry picked from commit 575d32e) * test: Add more tests for illegal subquery and fn usage (cherry picked from commit 1f91324) * fix: Move function check inside subquery (cherry picked from commit 1a5e5f5) * fix: Strip white spaces on lower cased field value Co-authored-by: Ankush Menat <ankushmenat@gmail.com> (cherry picked from commit 35827af) Co-authored-by: Gavin D'souza <gavin18d@gmail.com>
ankush
pushed a commit
that referenced
this pull request
Nov 30, 2022
* fix(db_query): Space resilient matching (cherry picked from commit 575d32e) # Conflicts: # frappe/model/db_query.py * test: Add more tests for illegal subquery and fn usage (cherry picked from commit 1f91324) * fix: Move function check inside subquery (cherry picked from commit 1a5e5f5) # Conflicts: # frappe/model/db_query.py * fix: Strip white spaces on lower cased field value Co-authored-by: Ankush Menat <ankushmenat@gmail.com> (cherry picked from commit 35827af) # Conflicts: # frappe/model/db_query.py * fix: Resolve conflicts in #19044 Co-authored-by: Gavin D'souza <gavin18d@gmail.com>
frappe-pr-bot
pushed a commit
that referenced
this pull request
Dec 6, 2022
# [14.18.0](v14.17.1...v14.18.0) (2022-12-06) ### Bug Fixes * attribute error on export of reports with additional columns ([#19105](#19105)) ([2b43d5b](2b43d5b)) * check for bad zip files during unzipping in file doctype ([#19058](#19058)) ([#19060](#19060)) ([96c928e](96c928e)) * **db_query:** Disallow usage of certain functions in *_by ([#18981](#18981)) ([#19135](#19135)) ([5376755](5376755)) * **db_query:** Space resilient sanitization (backport [#18996](#18996)) ([#19045](#19045)) ([ab8422f](ab8422f)) * disable signups by default (backport [#19114](#19114)) ([#19118](#19118)) ([3dd2775](3dd2775)) * do not escape undefined txt ([86267e9](86267e9)) * empty search shows `None` ([#19055](#19055)) ([#19057](#19057)) ([1cd0bc2](1cd0bc2)) * ensure correct parenttype when retrieving roles ([af55da9](af55da9)) * give more weight to sequential matches ([#19121](#19121)) ([#19122](#19122)) ([16f642f](16f642f)) * ignore empty/`None` scripts ([#19111](#19111)) ([#19113](#19113)) ([2a96757](2a96757)) * keep actions on right ([7d3e47b](7d3e47b)) * LDAP - check each email in list before creating user ([250f787](250f787)) * only check for special characters in fieldname ([#19061](#19061)) ([#19065](#19065)) ([de0facc](de0facc)), closes [#18965](#18965) * only System Manager can access Google Drive ([05be9ee](05be9ee)) * Optimize check field type is tab break if the doctype has a workflow ([#18858](#18858)) ([d9ce6c1](d9ce6c1)) * site creation using non-root users ([#19014](#19014)) ([#19043](#19043)) ([844e744](844e744)) * socketio spawn error ([#19070](#19070)) ([#19071](#19071)) ([75a54eb](75a54eb)) * type conversion for read receipt in communication email ([e0f7dd4](e0f7dd4)) * use permtype from passed arguments in has_web_form_permission when applying document permissions ([91c99d2](91c99d2)) * use webform doctype rather than allowing user to pass any doctype ([2be3178](2be3178)) * **UX:** freeze on delete ([#19094](#19094)) ([dd4791a](dd4791a)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([#19025](#19025)) ([#19041](#19041)) ([feed227](feed227)) * Widget control on dashboard chart breaks on smaller screens ([d6dedca](d6dedca)) ### Features * **workers:** many small RQ worker features (backport [#18995](#18995)) ([#19046](#19046)) ([37dbada](37dbada))
frappe-pr-bot
pushed a commit
that referenced
this pull request
Dec 7, 2022
## [13.45.3](v13.45.2...v13.45.3) (2022-12-07) ### Bug Fixes * **db_query:** Disallow usage of certain functions in *_by ([#18981](#18981)) ([#19134](#19134)) ([208d2e3](208d2e3)) * **db_query:** Space resilient sanitization (backport [#18996](#18996)) ([#19044](#19044)) ([a0b9bb4](a0b9bb4)) * disable signups by default (backport [#19114](#19114)) ([#19117](#19117)) ([1a67a41](1a67a41)) * empty search shows `None` ([#19055](#19055)) ([#19056](#19056)) ([7cd4dd4](7cd4dd4)) * ensure correct parenttype when retrieving roles ([59c61a9](59c61a9)) * ignore empty/`None` scripts ([#19111](#19111)) ([#19112](#19112)) ([2f21d24](2f21d24)) * keep actions on right ([86353aa](86353aa)) * LDAP - check each email in list before creating user ([f935383](f935383)) * merge conflict ([adcfdc7](adcfdc7)) * only check for special characters in fieldname (backport [#19061](#19061)) ([#19067](#19067)) ([f68f161](f68f161)), closes [#18965](#18965) [#18909](#18909) * only System Manager can access Google Drive ([dbf7287](dbf7287)) * **security:** validate web form permissions correctly (backport [#19088](#19088)) ([#19108](#19108)) ([553408e](553408e)) * type conversion for read receipt in communication email ([5c55536](5c55536)) * **UX:** freeze on delete (backport [#19094](#19094)) ([#19106](#19106)) ([851a803](851a803)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([#19025](#19025)) ([0102b53](0102b53)) * Widget control on dashboard chart breaks on smaller screens ([62ad75c](62ad75c))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.