feat: add doctype caster security rule

frappe · Jul 4, 2024 · 8ca2855 · 8ca2855
1 parent 92e1241
commit 8ca2855
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/rules/security.py b/rules/security.py
@@ -1,6 +1,31 @@
+from frappe.model import Document
+from frappe import requires_permission
+
 def function_name(input):
 	# ruleid: frappe-codeinjection-eval
 	eval(input)
 
 # ok: frappe-codeinjection-eval
 eval("1 + 1")
+
+# ruleid: require-permission-decorator-on-conversion-methods-into
+class MyDocument(Document):
+	def _into_sales_invoice(self, so):
+		pass
+
+# ok: require-permission-decorator-on-conversion-methods-into
+class MyDocument(Document):
+    @requires_permission("Sales Invice", "create")
+	def _into_sales_invoice(self, so):
+		pass
+
+# ruleid: require-permission-decorator-on-conversion-methods-from
+class MyDocument(Document):
+	def _from_sales_invoice(self, so):
+		pass
+
+# ok: require-permission-decorator-on-conversion-methods-from
+class MyDocument(Document):
+    @requires_permission("Sales Invice", "read")
+	def _from_sales_invoice(self, so):
+		pass
diff --git a/rules/security.yml b/rules/security.yml
@@ -8,3 +8,49 @@ rules:
     dynamic content. Avoid it or use safe_eval().
   languages: [python]
   severity: ERROR
+
+- id: require-permission-decorator-on-conversion-methods-from
+  pattern-either:
+    - pattern: |
+        class $CLASS(...):
+          ...
+          def _from_$METHOD(...):
+            ...
+  pattern-not:
+    - pattern: |
+        @requires_permission(...)
+        def _from_$METHOD(...):
+          ...
+    - pattern: |
+        @frappe.requires_permission(...)
+        def _from_$METHOD(...):
+          ...
+  message: "Conversion method '_from_$METOD' of class '$CLASS' must have at least one @frappe.requires_permission(...) decorator"
+  languages: [python]
+  severity: ERROR
+  paths:
+      include:
+        - "*/**/doctype/*"
+
+- id: require-permission-decorator-on-conversion-methods-into
+  pattern-either:
+    - pattern: |
+        class $CLASS(...):
+          ...
+          def _into_$METHOD(...):
+            ...
+  pattern-not:
+    - pattern: |
+        @requires_permission(...)
+        def _into_$METHOD(...):
+          ...
+    - pattern: |
+        @frappe.requires_permission(...)
+        def _into_$METHOD(...):
+          ...
+  message: "Conversion method '_into_$METOD' of class '$CLASS' must have at least one @frappe.requires_permission(...) decorator"
+  languages: [python]
+  severity: ERROR
+  paths:
+      include:
+        - "*/**/doctype/*"