diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index a1014049780e..72f7596c683c 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -16,8 +16,6 @@ jobs: with: python-version: 3.8 - - name: Install and Run Pre-commit - uses: pre-commit/action@v2.0.3 - name: Download Semgrep rules run: git clone --depth 1 https://github.com/frappe/frappe-semgrep-rules.git ~/frappe-semgrep-rules @@ -29,3 +27,6 @@ jobs: config: >- r/python.lang.correctness ~/frappe-semgrep-rules + + - name: Install and Run Pre-commit + uses: pre-commit/action@v2.0.3 diff --git a/erpnext/frappe_correctness.py b/erpnext/frappe_correctness.py new file mode 100644 index 000000000000..4373e88451c7 --- /dev/null +++ b/erpnext/frappe_correctness.py @@ -0,0 +1,63 @@ +import frappe +from frappe import _ +from frappe.model.document import Document + + +# ruleid: frappe-modifying-but-not-comitting +def on_submit(self): + if self.value_of_goods == 0: + frappe.throw(_('Value of goods cannot be 0')) + self.status = 'Submitted' + + +# ok: frappe-modifying-but-not-comitting +def on_submit(self): + if self.value_of_goods == 0: + frappe.throw(_('Value of goods cannot be 0')) + self.status = 'Submitted' + self.db_set('status', 'Submitted') + +# ok: frappe-modifying-but-not-comitting +def on_submit(self): + if self.value_of_goods == 0: + frappe.throw(_('Value of goods cannot be 0')) + x = "y" + self.status = x + self.db_set('status', x) + + +# ok: frappe-modifying-but-not-comitting +def on_submit(self): + x = "y" + self.status = x + self.save() + +# ruleid: frappe-modifying-but-not-comitting-other-method +class DoctypeClass(Document): + def on_submit(self): + self.good_method() + self.tainted_method() + + def tainted_method(self): + self.status = "uptate" + + +# ok: frappe-modifying-but-not-comitting-other-method +class DoctypeClass(Document): + def on_submit(self): + self.good_method() + self.tainted_method() + + def tainted_method(self): + self.status = "update" + self.db_set("status", "update") + +# ok: frappe-modifying-but-not-comitting-other-method +class DoctypeClass(Document): + def on_submit(self): + self.good_method() + self.tainted_method() + self.save() + + def tainted_method(self): + self.status = "uptate" diff --git a/erpnext/report.py b/erpnext/report.py new file mode 100644 index 000000000000..e3a265e407bf --- /dev/null +++ b/erpnext/report.py @@ -0,0 +1,14 @@ +from frappe import _ + +# ruleid: frappe-missing-translate-function-in-report-python +{"label": "Field Label"} + +# ruleid: frappe-missing-translate-function-in-report-python +dict(label="Field Label") + + +# ok: frappe-missing-translate-function-in-report-python +{"label": _("Field Label")} + +# ok: frappe-missing-translate-function-in-report-python +dict(label=_("Field Label")) diff --git a/erpnext/security.py b/erpnext/security.py new file mode 100644 index 000000000000..f477d7c17680 --- /dev/null +++ b/erpnext/security.py @@ -0,0 +1,6 @@ +def function_name(input): + # ruleid: frappe-codeinjection-eval + eval(input) + +# ok: frappe-codeinjection-eval +eval("1 + 1") diff --git a/erpnext/translate.py b/erpnext/translate.py new file mode 100644 index 000000000000..9de6aa94f011 --- /dev/null +++ b/erpnext/translate.py @@ -0,0 +1,61 @@ +# Examples taken from https://frappeframework.com/docs/user/en/translations +# This file is used for testing the tests. + +from frappe import _ + +full_name = "Jon Doe" +# ok: frappe-translation-python-formatting +_('Welcome {0}, get started with ERPNext in just a few clicks.').format(full_name) + +# ruleid: frappe-translation-python-formatting +_('Welcome %s, get started with ERPNext in just a few clicks.' % full_name) +# ruleid: frappe-translation-python-formatting +_('Welcome %(name)s, get started with ERPNext in just a few clicks.' % {'name': full_name}) + +# ruleid: frappe-translation-python-formatting +_('Welcome {0}, get started with ERPNext in just a few clicks.'.format(full_name)) + + +subscribers = ["Jon", "Doe"] +# ok: frappe-translation-python-formatting +_('You have {0} subscribers in your mailing list.').format(len(subscribers)) + +# ruleid: frappe-translation-python-splitting +_('You have') + len(subscribers) + _('subscribers in your mailing list.') + +# ruleid: frappe-translation-python-splitting +_('You have {0} subscribers \ + in your mailing list').format(len(subscribers)) + +# ok: frappe-translation-python-splitting +_('You have {0} subscribers') \ + + 'in your mailing list' + +# ruleid: frappe-translation-trailing-spaces +msg = _(" You have {0} pending invoice ") +# ruleid: frappe-translation-trailing-spaces +msg = _("You have {0} pending invoice ") +# ruleid: frappe-translation-trailing-spaces +msg = _(" You have {0} pending invoice") + +# ok: frappe-translation-trailing-spaces +msg = ' ' + _("You have {0} pending invoices") + ' ' + +# ruleid: frappe-translation-python-formatting +_(f"can not format like this - {subscribers}") +# ruleid: frappe-translation-python-splitting +_(f"what" + f"this is also not cool") + + +# ruleid: frappe-translation-empty-string +_("") +# ruleid: frappe-translation-empty-string +_('') + + +class Test: + # ok: frappe-translation-python-splitting + def __init__( + args + ): + pass diff --git a/erpnext/ux.py b/erpnext/ux.py new file mode 100644 index 000000000000..fa97c1e9f08e --- /dev/null +++ b/erpnext/ux.py @@ -0,0 +1,30 @@ +import frappe +from frappe import _, msgprint, throw + +# ruleid: frappe-missing-translate-function-python +throw("Error Occured") + +# ruleid: frappe-missing-translate-function-python +frappe.throw("Error Occured") + +# ruleid: frappe-missing-translate-function-python +frappe.msgprint("Useful message") + +# ruleid: frappe-missing-translate-function-python +msgprint("Useful message") + + +# ok: frappe-missing-translate-function-python +translatedmessage = _("Hello") + +# ok: frappe-missing-translate-function-python +throw(translatedmessage) + +# ok: frappe-missing-translate-function-python +msgprint(translatedmessage) + +# ok: frappe-missing-translate-function-python +msgprint(_("Helpful message")) + +# ok: frappe-missing-translate-function-python +frappe.throw(_("Error occured"))