fix(db_query): Disallow usage of certain functions in *_by (backport #18981) #19134
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
* fix(db_query): Disallow blacklisted functions in (order|group)_by Changes: - allow only functions that are not blacklisted in *_by clause: currently just sleep - perf improvemnts: lower, in, split, strip & other low hanging micro optimizations Handle the following use cases: - upper/lower case function usages - spaces between function name and brackets * test(db_query): Add tests for *_by checks (cherry picked from commit 6062d81)
frappe-pr-bot
pushed a commit
that referenced
this pull request
Dec 7, 2022
## [13.45.3](v13.45.2...v13.45.3) (2022-12-07) ### Bug Fixes * **db_query:** Disallow usage of certain functions in *_by ([#18981](#18981)) ([#19134](#19134)) ([208d2e3](208d2e3)) * **db_query:** Space resilient sanitization (backport [#18996](#18996)) ([#19044](#19044)) ([a0b9bb4](a0b9bb4)) * disable signups by default (backport [#19114](#19114)) ([#19117](#19117)) ([1a67a41](1a67a41)) * empty search shows `None` ([#19055](#19055)) ([#19056](#19056)) ([7cd4dd4](7cd4dd4)) * ensure correct parenttype when retrieving roles ([59c61a9](59c61a9)) * ignore empty/`None` scripts ([#19111](#19111)) ([#19112](#19112)) ([2f21d24](2f21d24)) * keep actions on right ([86353aa](86353aa)) * LDAP - check each email in list before creating user ([f935383](f935383)) * merge conflict ([adcfdc7](adcfdc7)) * only check for special characters in fieldname (backport [#19061](#19061)) ([#19067](#19067)) ([f68f161](f68f161)), closes [#18965](#18965) [#18909](#18909) * only System Manager can access Google Drive ([dbf7287](dbf7287)) * **security:** validate web form permissions correctly (backport [#19088](#19088)) ([#19108](#19108)) ([553408e](553408e)) * type conversion for read receipt in communication email ([5c55536](5c55536)) * **UX:** freeze on delete (backport [#19094](#19094)) ([#19106](#19106)) ([851a803](851a803)) * **UX:** Make fetch_from read_only if fetch_is_empty is not set ([#19025](#19025)) ([0102b53](0102b53)) * Widget control on dashboard chart breaks on smaller screens ([62ad75c](62ad75c))
|
🎉 This PR is included in version 13.45.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automatic backport of pull request #18981 done by Mergify.
Mergify commands and options
More conditions and actions can be found in the documentation.
You can also trigger Mergify actions by commenting on this pull request:
@Mergifyio refreshwill re-evaluate the rules@Mergifyio rebasewill rebase this PR on its base branch@Mergifyio updatewill merge the base branch into this PR@Mergifyio backport <destination>will backport this PR on<destination>branchAdditionally, on Mergify dashboard you can:
Finally, you can contact us on https://mergify.com