feat: add doctype caster security rule

rules/frappe_correctness.yml

@@ -140,6 +140,23 @@ rules:
   languages: [python]
   severity: ERROR
 
+- id: frappe-prefer-doctype-caster
+  patterns:
+  - pattern: |
+      def $MAKEFUNCTION(...):
+        ...
+  - metavariable-regex:
+      metavariable: $MAKEFUNCTION
+      regex: "^make_(.*)$"
+  message: |
+      This is an old pattern. Replace '$MAKEFUNCTION' with 'def _into_*(self, doc)' or 'def _from_*(self, doc)' instance conversion methods.
+      Check: https://github.com/frappe/frappe/pull/26991 for the implementation and https://github.com/frappe/erpnext/pull/42160/files for an example.
+  languages: [python]
+  severity: WARNING
+  paths:
+      include:
+        - "*/**/doctype/*"
+
 - id: frappe-print-function-in-doctypes
   pattern: print(...)
   message: |

rules/security.py

@@ -4,3 +4,4 @@ def function_name(input):
 
 # ok: frappe-codeinjection-eval
 eval("1 + 1")
+

rules/security.yml

@@ -8,3 +8,32 @@ rules:
     dynamic content. Avoid it or use safe_eval().
   languages: [python]
   severity: ERROR
+
+- id: require-permission-decorator-on-conversion-methods
+  patterns:
+  - pattern-inside: |
+      class $CLASS(...):
+        ...
+  - pattern: |
+       def $CONVERSION_METHOD(...):
+         ...
+  - pattern-not: |
+      @requires_permission(...)
+      def $CONVERSION_METHOD(...):
+        ...
+  - pattern-not: |
+      @frappe.requires_permission(...)
+      def $CONVERSION_METHOD(...):
+        ...
+  - metavariable-regex:
+      metavariable: '$CONVERSION_METHOD'
+      regex: '^_(from|into)_(.*)$'
+  message: |
+    '$CONVERSION_METHOD' in '$CLASS' crosses doctype boundaries.
+    Explicitly declare its extended security context with @frappe.requires_permission(<doctype>, <perm>).
+  languages: [python]
+  severity: ERROR
+  paths:
+      include:
+        - "*/**/doctype/*"
+

rules/some/doctype/frappe_correctness.py

@@ -0,0 +1,3 @@
+# ruleid: frappe-avoid-make-functions-prefer-doctype-caster
+def make_sales_invoice(...):
+    ...

rules/some/doctype/security.py

@@ -0,0 +1,25 @@
+from frappe.model import Document
+import frappe
+from frappe import requires_permission
+
+# ruleid: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	def _into_sales_invoice(self, so):
+		...
+
+# ok: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	@requires_permission("Sales Invoice", "create")
+	def _into_sales_invoice(self, so):
+		...
+
+# ruleid: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	def _from_sales_invoice(self, so):
+		...
+
+# ok: require-permission-decorator-on-conversion-methods
+class MyDocument(Document):
+	@frappe.requires_permission("Sales Invoice", "read")
+	def _from_sales_invoice(self, so):
+		...