fix: sql injection (#20818)

2020-03-16 14:06:44 -03:00 · 2020-03-16 14:06:44 -03:00 · 2b6a20aab5
commit 2b6a20aab5
parent b8b5fa6291
4 changed files with 16 additions and 7 deletions
--- a/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py
+++ b/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py
@ -6,6 +6,7 @@ from __future__ import unicode_literals
 import frappe, json
 from frappe.model.document import Document
 from frappe import _
+from frappe.desk.search import sanitize_searchfield

 class BankGuarantee(Document):
 	def validate(self):
@ -22,5 +23,8 @@ class BankGuarantee(Document):

@frappe.whitelist()
 def get_vouchar_detials(column_list, doctype, docname):
+	column_list = json.loads(column_list)
+	for col in column_list:
+		sanitize_searchfield(col) 
 	return frappe.db.sql(''' select {columns} from `tab{doctype}` where name=%s'''
 		.format(columns=", ".join(json.loads(column_list)), doctype=doctype), docname, as_dict=1)[0]
--- a/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py
+++ b/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py
@ -386,5 +386,5 @@ def get_procedure_prescribed(patient):
 	return frappe.db.sql("""select pp.name, pp.procedure, pp.parent, ct.practitioner,
 	ct.encounter_date, pp.practitioner, pp.date, pp.department
 	from `tabPatient Encounter` ct, `tabProcedure Prescription` pp
-	where ct.patient='{0}' and pp.parent=ct.name and pp.appointment_booked=0
-	order by ct.creation desc""".format(patient))
+	where ct.patient=%(patient)s and pp.parent=ct.name and pp.appointment_booked=0
+	order by ct.creation desc""", {"patient": patient})
--- a/erpnext/hr/doctype/department/department.py
+++ b/erpnext/hr/doctype/department/department.py
@ -48,12 +48,17 @@ def get_abbreviated_name(name, company):
@frappe.whitelist()
 def get_children(doctype, parent=None, company=None, is_root=False):
 	condition = ''
+	var_dict = {
+		"name": get_root_of("Department"),
+		"parent": parent,
+		"company": company,
+	}
 	if company == parent:
-		condition = "name='{0}'".format(get_root_of("Department"))
+		condition = "name=%(name)s"
 	elif company:
-		condition = "parent_department='{0}' and company='{1}'".format(parent, company)
+		condition = "parent_department=%(parent)s and company=%(company)s"
 	else:
-		condition = "parent_department = '{0}'".format(parent)
+		condition = "parent_department = %(parent)s"

 	return frappe.db.sql("""
 		select
@ -62,7 +67,7 @@ def get_children(doctype, parent=None, company=None, is_root=False):
 		from `tab{doctype}`
 		where
 			{condition}
-		order by name""".format(doctype=doctype, condition=condition), as_dict=1)
+		order by name""".format(doctype=doctype, condition=condition), var_dict, as_dict=1)

@frappe.whitelist()
 def add_node():
--- a/erpnext/regional/india/utils.py
+++ b/erpnext/regional/india/utils.py
@ -478,7 +478,7 @@ def get_gstins_for_company(company):
 			`tabDynamic Link`.parent = `tabAddress`.name and
 			`tabDynamic Link`.parenttype = 'Address' and
 			`tabDynamic Link`.link_doctype = 'Company' and
-			`tabDynamic Link`.link_name = '{0}'""".format(company))
+			`tabDynamic Link`.link_name = %(company)s""", {"company": company})
 	return company_gstins

 def get_address_details(data, doc, company_address, billing_address):