Hi Frappe Community,
During a recent penetration testing exercise, we reviewed the frappe.desk.reportview.get_list function. While the read_only flag mitigates risks by ensuring that the function only performs database read operations, the penetration tester has recommended further enhancements:
- Implementing strict input validation
- Using parameterized queries for database interactions
Currently, the function is maintained as an ordinary whitelisted method, which works effectively, but these additional measures could further reduce risks of error-based SQL injection.
Suggestions for Improvement:
- Input Validation: Add or enhance mechanisms to sanitize and validate user inputs passed to the function.
- Parameterized Queries: Review the database query logic to ensure all dynamic parameters are passed in a parameterized format, leveraging Frappe’s ORM where applicable.
These changes are essential to address modern security expectations while maintaining compatibility with the current framework.
Next Steps:
We’d like to discuss the feasibility of these recommendations and propose creating a ticket for the core team to evaluate and implement them if deemed necessary.
Has anyone faced similar concerns or implemented these recommendations in their customizations? Your insights or suggestions would be greatly appreciated!
Best regards,
Nakul P Kumar
Faircode Infotech Pvt. Ltd.