fix: (Linter) Write queries using QB/ORM and other minor lines for semgrep to skip
diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py
index 1a833a4..d72d8f7 100644
--- a/erpnext/accounts/doctype/payment_request/payment_request.py
+++ b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -435,7 +435,7 @@
""", (ref_dt, ref_dn))
return flt(existing_payment_request_amount[0][0]) if existing_payment_request_amount else 0
-def get_gateway_details(args):
+def get_gateway_details(args): # nosemgrep
"""return gateway and payment account of default payment gateway"""
if args.get("payment_gateway_account"):
return get_payment_gateway_account(args.get("payment_gateway_account"))
diff --git a/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py b/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py
index 20a96f9..86cef30 100644
--- a/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py
+++ b/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py
@@ -41,7 +41,7 @@
def test_tax_rule_validation(self):
frappe.db.sql("update `tabTax Rule` set use_for_shopping_cart = 0")
- frappe.db.commit()
+ frappe.db.commit() # nosemgrep
cart_settings = self.get_cart_settings()
cart_settings.enabled = 1
diff --git a/erpnext/e_commerce/doctype/website_item/website_item.py b/erpnext/e_commerce/doctype/website_item/website_item.py
index 864ac24..62f7f49 100644
--- a/erpnext/e_commerce/doctype/website_item/website_item.py
+++ b/erpnext/e_commerce/doctype/website_item/website_item.py
@@ -57,16 +57,19 @@
self.publish_unpublish_desk_item(publish=True)
if not self.get("__islocal"):
- self.old_website_item_groups = frappe.db.sql_list("""
- select
- item_group
- from
- `tabWebsite Item Group`
- where
- parentfield='website_item_groups'
- and parenttype='Website Item'
- and parent=%s
- """, self.name)
+ wig = frappe.qb.DocType("Website Item Group")
+ query = (
+ frappe.qb.from_(wig)
+ .select(wig.item_group)
+ .where(
+ (wig.parentfield == "website_item_groups")
+ & (wig.parenttype == "Website Item")
+ & (wig.parent == self.name)
+ )
+ )
+ result = query.run(as_list=True)
+
+ self.old_website_item_groups = [x[0] for x in result]
def on_update(self):
invalidate_cache_for_web_item(self)
@@ -330,18 +333,22 @@
return tab_values
def get_recommended_items(self, settings):
- items = frappe.db.sql(f"""
- select
- ri.website_item_thumbnail, ri.website_item_name,
- ri.route, ri.item_code
- from
- `tabRecommended Items` ri, `tabWebsite Item` wi
- where
- ri.item_code = wi.item_code
- and ri.parent = '{self.name}'
- and wi.published = 1
- order by ri.idx
- """, as_dict=1)
+ ri = frappe.qb.DocType("Recommended Items")
+ wi = frappe.qb.DocType("Website Item")
+
+ query = (
+ frappe.qb.from_(ri)
+ .join(wi).on(ri.item_code == wi.item_code)
+ .select(
+ ri.item_code, ri.route,
+ ri.website_item_name,
+ ri.website_item_thumbnail
+ ).where(
+ (ri.parent == self.name)
+ & (wi.published == 1)
+ ).orderby(ri.idx)
+ )
+ items = query.run(as_dict=True)
if settings.show_price:
is_guest = frappe.session.user == "Guest"
diff --git a/erpnext/e_commerce/doctype/wishlist/wishlist.py b/erpnext/e_commerce/doctype/wishlist/wishlist.py
index 5724a2d..50e3d3a 100644
--- a/erpnext/e_commerce/doctype/wishlist/wishlist.py
+++ b/erpnext/e_commerce/doctype/wishlist/wishlist.py
@@ -57,7 +57,7 @@
"parent": frappe.session.user
}
)
- frappe.db.commit()
+ frappe.db.commit() # nosemgrep
wishlist_items = frappe.db.get_values(
"Wishlist Item",
diff --git a/erpnext/e_commerce/product_data_engine/filters.py b/erpnext/e_commerce/product_data_engine/filters.py
index 6d44b2c..c4a3cb9 100644
--- a/erpnext/e_commerce/product_data_engine/filters.py
+++ b/erpnext/e_commerce/product_data_engine/filters.py
@@ -99,18 +99,14 @@
if not attributes:
return []
- result = frappe.db.sql(
- """
- select
- distinct attribute, attribute_value
- from
- `tabItem Variant Attribute`
- where
- attribute in %(attributes)s
- and attribute_value is not null
- """,
- {"attributes": attributes},
- as_dict=1,
+ result = frappe.get_all(
+ "Item Variant Attribute",
+ filters={
+ "attribute": ["in", attributes],
+ "attribute_value": ["is", "set"]
+ },
+ fields=["attribute", "attribute_value"],
+ distinct=True
)
attribute_value_map = {}
diff --git a/erpnext/e_commerce/shopping_cart/cart.py b/erpnext/e_commerce/shopping_cart/cart.py
index 12f82e3..458cf69 100644
--- a/erpnext/e_commerce/shopping_cart/cart.py
+++ b/erpnext/e_commerce/shopping_cart/cart.py
@@ -585,10 +585,20 @@
if quotation.shipping_address_name:
country = frappe.db.get_value("Address", quotation.shipping_address_name, "country")
if country:
- shipping_rules = frappe.db.sql_list("""select distinct sr.name
- from `tabShipping Rule Country` src, `tabShipping Rule` sr
- where src.country = %s and
- sr.disabled != 1 and sr.name = src.parent""", country)
+ sr_country = frappe.qb.DocType("Shipping Rule Country")
+ sr = frappe.qb.DocType("Shipping Rule")
+ query = (
+ frappe.qb.from_(sr_country)
+ .join(sr).on(sr.name == sr_country.parent)
+ .select(sr.name)
+ .distinct()
+ .where(
+ (sr_country.country == country)
+ & (sr.disabled != 1)
+ )
+ )
+ result = query.run(as_list=True)
+ shipping_rules = [x[0] for x in result]
return shipping_rules
diff --git a/erpnext/e_commerce/variant_selector/utils.py b/erpnext/e_commerce/variant_selector/utils.py
index 5caa4d0..3380273 100644
--- a/erpnext/e_commerce/variant_selector/utils.py
+++ b/erpnext/e_commerce/variant_selector/utils.py
@@ -60,7 +60,7 @@
NULL
'''.format(attribute_query=attribute_query, variant_of_query=variant_of_query)
- item_codes = set([r[0] for r in frappe.db.sql(query, query_values)])
+ item_codes = set([r[0] for r in frappe.db.sql(query, query_values)]) # nosemgrep
items.append(item_codes)
res = list(set.intersection(*items))
diff --git a/erpnext/patches/v13_0/create_website_items.py b/erpnext/patches/v13_0/create_website_items.py
index 6f798bc..da162a3 100644
--- a/erpnext/patches/v13_0/create_website_items.py
+++ b/erpnext/patches/v13_0/create_website_items.py
@@ -17,7 +17,7 @@
"website_warehouse", "web_long_description", "website_content", "thumbnail"]
# get all valid columns (fields) from Item master DB schema
- item_table_fields = frappe.db.sql("desc `tabItem`", as_dict=1)
+ item_table_fields = frappe.db.sql("desc `tabItem`", as_dict=1) # nosemgrep
item_table_fields = [d.get('Field') for d in item_table_fields]
# prepare fields to query from Item, check if the web field exists in Item master
diff --git a/erpnext/patches/v13_0/populate_e_commerce_settings.py b/erpnext/patches/v13_0/populate_e_commerce_settings.py
index d471923..586009e 100644
--- a/erpnext/patches/v13_0/populate_e_commerce_settings.py
+++ b/erpnext/patches/v13_0/populate_e_commerce_settings.py
@@ -24,17 +24,17 @@
settings = frappe.get_doc("E Commerce Settings")
def map_into_e_commerce_settings(doctype, fields):
- data = frappe.db.sql("""
- Select
- field, value
- from `tabSingles`
- where
- doctype='{doctype}'
- and field in ({fields})
- """.format(
- doctype=doctype,
- fields=(",").join(['%s'] * len(fields))
- ), tuple(fields), as_dict=1)
+ singles = frappe.qb.DocType("Singles")
+ query = (
+ frappe.qb.from_(singles)
+ .select(
+ singles.field, singles.value
+ ).where(
+ (singles.doctype == doctype)
+ & (singles.field in fields)
+ )
+ )
+ data = query.run(as_dict=True)
# {'enable_attribute_filters': '1', ...}
mapper = {row.field: row.value for row in data}
@@ -51,10 +51,12 @@
# move filters and attributes tables to E Commerce Settings from Products Settings
for doctype in ("Website Filter Field", "Website Attribute"):
- frappe.db.sql("""Update `tab{doctype}`
- set
- parenttype = 'E Commerce Settings',
- parent = 'E Commerce Settings'
- where
- parent = 'Products Settings'
- """.format(doctype=doctype))
\ No newline at end of file
+ frappe.db.set_value(
+ doctype,
+ {"parent": "Products Settings"},
+ {
+ "parenttype": "E Commerce Settings",
+ "parent": "E Commerce Settings"
+ },
+ update_modified=False
+ )
diff --git a/erpnext/setup/setup_wizard/operations/company_setup.py b/erpnext/setup/setup_wizard/operations/company_setup.py
index 8ffe02d..74c1bd8 100644
--- a/erpnext/setup/setup_wizard/operations/company_setup.py
+++ b/erpnext/setup/setup_wizard/operations/company_setup.py
@@ -29,7 +29,7 @@
'domain': args.get('domains')[0]
}).insert()
-def enable_shopping_cart(args):
+def enable_shopping_cart(args): # nosemgrep
# Needs price_lists
frappe.get_doc({
"doctype": "E Commerce Settings",
diff --git a/erpnext/setup/setup_wizard/operations/install_fixtures.py b/erpnext/setup/setup_wizard/operations/install_fixtures.py
index d7c6913..cd2738a 100644
--- a/erpnext/setup/setup_wizard/operations/install_fixtures.py
+++ b/erpnext/setup/setup_wizard/operations/install_fixtures.py
@@ -535,7 +535,7 @@
# bank account same as a CoA entry
pass
-def update_shopping_cart_settings(args):
+def update_shopping_cart_settings(args): # nosemgrep
shopping_cart = frappe.get_doc("E Commerce Settings")
shopping_cart.update({
"enabled": 1,
diff --git a/erpnext/templates/pages/product_search.py b/erpnext/templates/pages/product_search.py
index 9c27c0e..237adf9 100644
--- a/erpnext/templates/pages/product_search.py
+++ b/erpnext/templates/pages/product_search.py
@@ -53,9 +53,7 @@
# order by
query += """ ORDER BY ranking desc, modified desc limit %s, %s""" % (cint(start), cint(limit))
- return frappe.db.sql(query, {
- "search": search
- }, as_dict=1)
+ return frappe.db.sql(query, {"search": search}, as_dict=1) # nosemgrep
@frappe.whitelist(allow_guest=True)
def search(query):
diff --git a/erpnext/www/shop-by-category/index.py b/erpnext/www/shop-by-category/index.py
index fecc05b..3946212 100644
--- a/erpnext/www/shop-by-category/index.py
+++ b/erpnext/www/shop-by-category/index.py
@@ -56,30 +56,22 @@
categorical_data = {}
for category in categories:
if category == "item_group":
- categorical_data["item_group"] = frappe.db.sql("""
- Select
- name, parent_item_group, is_group, image, route
- from
- `tabItem Group`
- where
- parent_item_group = 'All Item Groups'
- and show_in_website = 1
- """,
- as_dict=1)
+ categorical_data["item_group"] = frappe.db.get_all(
+ "Item Group",
+ filters={
+ "parent_item_group": "All Item Groups",
+ "show_in_website": 1
+ },
+ fields=["name", "parent_item_group", "is_group", "image", "route"],
+ as_dict=True
+ )
else:
doctype = frappe.unscrub(category)
fields = ["name"]
if frappe.get_meta(doctype, cached=True).get_field("image"):
fields += ["image"]
- categorical_data[category] = frappe.db.sql(
- f"""
- Select
- {",".join(fields)}
- from
- `tab{doctype}`
- """,
- as_dict=1)
+ categorical_data[category] = frappe.db.get_all(doctype, fields=fields, as_dict=True)
return categorical_data