fix: sql injection (#20818)
diff --git a/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py b/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py
index 9aa2ee2..f28a074 100644
--- a/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py
+++ b/erpnext/accounts/doctype/bank_guarantee/bank_guarantee.py
@@ -6,6 +6,7 @@
import frappe, json
from frappe.model.document import Document
from frappe import _
+from frappe.desk.search import sanitize_searchfield
class BankGuarantee(Document):
def validate(self):
@@ -22,5 +23,8 @@
@frappe.whitelist()
def get_vouchar_detials(column_list, doctype, docname):
+ column_list = json.loads(column_list)
+ for col in column_list:
+ sanitize_searchfield(col)
return frappe.db.sql(''' select {columns} from `tab{doctype}` where name=%s'''
.format(columns=", ".join(json.loads(column_list)), doctype=doctype), docname, as_dict=1)[0]
diff --git a/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py b/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py
index d562245..5f48c9f 100755
--- a/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py
+++ b/erpnext/healthcare/doctype/patient_appointment/patient_appointment.py
@@ -386,5 +386,5 @@
return frappe.db.sql("""select pp.name, pp.procedure, pp.parent, ct.practitioner,
ct.encounter_date, pp.practitioner, pp.date, pp.department
from `tabPatient Encounter` ct, `tabProcedure Prescription` pp
- where ct.patient='{0}' and pp.parent=ct.name and pp.appointment_booked=0
- order by ct.creation desc""".format(patient))
+ where ct.patient=%(patient)s and pp.parent=ct.name and pp.appointment_booked=0
+ order by ct.creation desc""", {"patient": patient})
diff --git a/erpnext/hr/doctype/department/department.py b/erpnext/hr/doctype/department/department.py
index 9b2b581..2cef509 100644
--- a/erpnext/hr/doctype/department/department.py
+++ b/erpnext/hr/doctype/department/department.py
@@ -48,12 +48,17 @@
@frappe.whitelist()
def get_children(doctype, parent=None, company=None, is_root=False):
condition = ''
+ var_dict = {
+ "name": get_root_of("Department"),
+ "parent": parent,
+ "company": company,
+ }
if company == parent:
- condition = "name='{0}'".format(get_root_of("Department"))
+ condition = "name=%(name)s"
elif company:
- condition = "parent_department='{0}' and company='{1}'".format(parent, company)
+ condition = "parent_department=%(parent)s and company=%(company)s"
else:
- condition = "parent_department = '{0}'".format(parent)
+ condition = "parent_department = %(parent)s"
return frappe.db.sql("""
select
@@ -62,7 +67,7 @@
from `tab{doctype}`
where
{condition}
- order by name""".format(doctype=doctype, condition=condition), as_dict=1)
+ order by name""".format(doctype=doctype, condition=condition), var_dict, as_dict=1)
@frappe.whitelist()
def add_node():
diff --git a/erpnext/regional/india/utils.py b/erpnext/regional/india/utils.py
index f37b0e4..0282382 100644
--- a/erpnext/regional/india/utils.py
+++ b/erpnext/regional/india/utils.py
@@ -478,7 +478,7 @@
`tabDynamic Link`.parent = `tabAddress`.name and
`tabDynamic Link`.parenttype = 'Address' and
`tabDynamic Link`.link_doctype = 'Company' and
- `tabDynamic Link`.link_name = '{0}'""".format(company))
+ `tabDynamic Link`.link_name = %(company)s""", {"company": company})
return company_gstins
def get_address_details(data, doc, company_address, billing_address):