feat: add doctype caster security rule

rules/security.py

@@ -4,3 +4,4 @@ def function_name(input):
 
 # ok: frappe-codeinjection-eval
 eval("1 + 1")
+

rules/security.yml

@@ -8,3 +8,34 @@ rules:
     dynamic content. Avoid it or use safe_eval().
   languages: [python]
   severity: ERROR
+
+- id: require-permission-decorator-on-conversion-methods
+  patterns:
+  - pattern-inside: |
+      class $CLASS(...):
+        ...
+  - pattern: |
+       def $CONVERSION_METHOD(...):
+         ...
+  - pattern-not: |
+      @requires_permission(...)
+      def $CONVERSION_METHOD(...):
+        ...
+  - pattern-not: |
+      @frappe.requires_permission(...)
+      def $CONVERSION_METHOD(...):
+        ...
+  - metavariable-regex:
+      metavariable: '$CONVERSION_METHOD'
+      regex: '^_(from|into)_(.*)$'
+
+  message: |
+    Conversion method '$CONVERSION_METHOD' of class '$CLASS' spans the security boundary between two doctypes.
+    It therefore must declare its security context exiplictly and upfront.
+    Do this by setting at least one explicit @frappe.requires_permission(<doctype>, <perm>) decorator on '$CONVERSION_METHOD'.
+  languages: [python]
+  severity: ERROR
+  paths:
+      include:
+        - "*/**/doctype/*"
+

rules/some/doctype/security.py

@@ -0,0 +1,25 @@
+from frappe.model import Document
+import frappe
+from frappe import requires_permission
+
+# ruleid: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	def _into_sales_invoice(self, so):
+		...
+
+# ok: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	@requires_permission("Sales Invoice", "create")
+	def _into_sales_invoice(self, so):
+		...
+
+# ruleid: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	def _from_sales_invoice(self, so):
+		...
+
+# ok: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	@frappe.requires_permission("Sales Invoice", "read")
+	def _from_sales_invoice(self, so):
+		...