fix: (Linter) Write queries using QB/ORM and other minor lines for semgrep to skip

2026-05-26 08:24:47 +00:00 · 2022-02-02 12:58:31 +05:30
parent 780e29b42e
commit 4b62d2d7fe
13 changed files with 89 additions and 84 deletions
--- a/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py
+++ b/erpnext/e_commerce/doctype/e_commerce_settings/test_e_commerce_settings.py
@@ -41,7 +41,7 @@ class TestECommerceSettings(unittest.TestCase):

 	def test_tax_rule_validation(self):
 		frappe.db.sql("update `tabTax Rule` set use_for_shopping_cart = 0")
-		frappe.db.commit()
+		frappe.db.commit() # nosemgrep

 		cart_settings = self.get_cart_settings()
 		cart_settings.enabled = 1
--- a/erpnext/e_commerce/doctype/website_item/website_item.py
+++ b/erpnext/e_commerce/doctype/website_item/website_item.py
@@ -57,16 +57,19 @@ class WebsiteItem(WebsiteGenerator):
 		self.publish_unpublish_desk_item(publish=True)

 		if not self.get("__islocal"):
-			self.old_website_item_groups = frappe.db.sql_list("""
-				select
-					item_group
-				from
-					`tabWebsite Item Group`
-				where
-					parentfield='website_item_groups'
-					and parenttype='Website Item'
-					and parent=%s
-				""", self.name)
+			wig = frappe.qb.DocType("Website Item Group")
+			query = (
+				frappe.qb.from_(wig)
+				.select(wig.item_group)
+				.where(
+					(wig.parentfield == "website_item_groups")
+					& (wig.parenttype == "Website Item")
+					& (wig.parent == self.name)
+				)
+			)
+			result = query.run(as_list=True)
+
+			self.old_website_item_groups = [x[0] for x in result]

 	def on_update(self):
 		invalidate_cache_for_web_item(self)
@@ -330,18 +333,22 @@ class WebsiteItem(WebsiteGenerator):
 		return tab_values

 	def get_recommended_items(self, settings):
-		items = frappe.db.sql(f"""
-			select
-				ri.website_item_thumbnail, ri.website_item_name,
-				ri.route, ri.item_code
-			from
-				`tabRecommended Items` ri, `tabWebsite Item` wi
-			where
-				ri.item_code = wi.item_code
-				and ri.parent = '{self.name}'
-				and wi.published = 1
-			order by ri.idx
-		""", as_dict=1)
+		ri = frappe.qb.DocType("Recommended Items")
+		wi = frappe.qb.DocType("Website Item")
+
+		query = (
+			frappe.qb.from_(ri)
+			.join(wi).on(ri.item_code == wi.item_code)
+			.select(
+				ri.item_code, ri.route,
+				ri.website_item_name,
+				ri.website_item_thumbnail
+			).where(
+				(ri.parent == self.name)
+				& (wi.published == 1)
+			).orderby(ri.idx)
+		)
+		items = query.run(as_dict=True)

 		if settings.show_price:
 			is_guest = frappe.session.user == "Guest"
--- a/erpnext/e_commerce/doctype/wishlist/wishlist.py
+++ b/erpnext/e_commerce/doctype/wishlist/wishlist.py
@@ -57,7 +57,7 @@ def remove_from_wishlist(item_code):
 				"parent": frappe.session.user
 			}
 		)
-		frappe.db.commit()
+		frappe.db.commit() # nosemgrep

 		wishlist_items = frappe.db.get_values(
 			"Wishlist Item",
--- a/erpnext/e_commerce/product_data_engine/filters.py
+++ b/erpnext/e_commerce/product_data_engine/filters.py
@@ -99,18 +99,14 @@ class ProductFiltersBuilder:
 		if not attributes:
 			return []

-		result = frappe.db.sql(
-			"""
-			select
-				distinct attribute, attribute_value
-			from
-				`tabItem Variant Attribute`
-			where
-				attribute in %(attributes)s
-				and attribute_value is not null
-		""",
-			{"attributes": attributes},
-			as_dict=1,
+		result = frappe.get_all(
+			"Item Variant Attribute",
+			filters={
+				"attribute": ["in", attributes],
+				"attribute_value": ["is", "set"]
+			},
+			fields=["attribute", "attribute_value"],
+			distinct=True
 		)

 		attribute_value_map = {}
--- a/erpnext/e_commerce/shopping_cart/cart.py
+++ b/erpnext/e_commerce/shopping_cart/cart.py
@@ -585,10 +585,20 @@ def get_shipping_rules(quotation=None, cart_settings=None):
 	if quotation.shipping_address_name:
 		country = frappe.db.get_value("Address", quotation.shipping_address_name, "country")
 		if country:
-			shipping_rules = frappe.db.sql_list("""select distinct sr.name
-				from `tabShipping Rule Country` src, `tabShipping Rule` sr
-				where src.country = %s and
-				sr.disabled != 1 and sr.name = src.parent""", country)
+			sr_country = frappe.qb.DocType("Shipping Rule Country")
+			sr = frappe.qb.DocType("Shipping Rule")
+			query = (
+				frappe.qb.from_(sr_country)
+				.join(sr).on(sr.name == sr_country.parent)
+				.select(sr.name)
+				.distinct()
+				.where(
+					(sr_country.country == country)
+					& (sr.disabled != 1)
+				)
+			)
+			result = query.run(as_list=True)
+			shipping_rules = [x[0] for x in result]

 	return shipping_rules

--- a/erpnext/e_commerce/variant_selector/utils.py
+++ b/erpnext/e_commerce/variant_selector/utils.py
@@ -60,7 +60,7 @@ def get_item_codes_by_attributes(attribute_filters, template_item_code=None):
 				NULL
 		'''.format(attribute_query=attribute_query, variant_of_query=variant_of_query)

-		item_codes = set([r[0] for r in frappe.db.sql(query, query_values)])
+		item_codes = set([r[0] for r in frappe.db.sql(query, query_values)]) # nosemgrep
 		items.append(item_codes)

 	res = list(set.intersection(*items))