nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-04-23 16:48:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: replace raw SQL with qb in get_against_jv to prevent SQL injection

Browse Source 
(cherry picked from commit c133f7156d)

# Conflicts:
#	erpnext/accounts/doctype/journal_entry/journal_entry.py
This commit is contained in:
khushi8112
2026-04-13 12:36:51 +05:30
committed by Mergify
parent eb80a3704a
commit 8f86a2879c
1 changed files with 34 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
erpnext/accounts/doctype/journal_entry/journal_entry.py
View File

@@ -1537,35 +1537,46 @@ def get_payment_entry(ref_doc, args):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
<<<<<<< HEAD
def get_against_jv(doctype, txt, searchfield, start, page_len, filters): def get_against_jv(doctype, txt, searchfield, start, page_len, filters):
=======
def get_against_jv(
doctype: str,
txt: str,
searchfield: str,
start: int,
page_len: int,
filters: dict,
):
>>>>>>> c133f7156d (fix: replace raw SQL with qb in get_against_jv to prevent SQL injection)
if not frappe.db.has_column("Journal Entry", searchfield): if not frappe.db.has_column("Journal Entry", searchfield):
return [] return []
return frappe.db.sql( JournalEntry = frappe.qb.DocType("Journal Entry")
f""" JournalEntryAccount = frappe.qb.DocType("Journal Entry Account")
SELECT jv.name, jv.posting_date, jv.user_remark
FROM `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail query = (
WHERE jv_detail.parent = jv.name frappe.qb.from_(JournalEntry)
AND jv_detail.account = %(account)s .join(JournalEntryAccount)
AND IFNULL(jv_detail.party, '') = %(party)s .on(JournalEntryAccount.parent == JournalEntry.name)
AND ( .select(JournalEntry.name, JournalEntry.posting_date, JournalEntry.user_remark)
jv_detail.reference_type IS NULL .where(JournalEntryAccount.account == filters.get("account"))
OR jv_detail.reference_type = '' .where(JournalEntryAccount.reference_type.isnull() | (JournalEntryAccount.reference_type == ""))
) .where(JournalEntry.docstatus == 1)
AND jv.docstatus = 1 .where(JournalEntry[searchfield].like(f"%{txt}%"))
AND jv.`{searchfield}` LIKE %(txt)s .orderby(JournalEntry.name, order=frappe.qb.desc)
ORDER BY jv.name DESC .limit(page_len)
LIMIT %(limit)s offset %(offset)s .offset(start)
""",
dict(
account=filters.get("account"),
party=cstr(filters.get("party")),
txt=f"%{txt}%",
offset=start,
limit=page_len,
),
) )
party = filters.get("party")
if party:
query = query.where(JournalEntryAccount.party == party)
else:
query = query.where(JournalEntryAccount.party.isnull() | (JournalEntryAccount.party == ""))
return query.run()
@frappe.whitelist() @frappe.whitelist()
def get_outstanding(args): def get_outstanding(args):