Browse Source

Add rollback after executing query as a double security with blacklist terms

pull/535/head
Florian da Costa 9 years ago
committed by oliverstore-ro
parent
commit
d18e8a6c2a
  1. 9
      sql_export/sql_export.py
  2. 3
      sql_export/tests/__init__.py

9
sql_export/sql_export.py

@ -25,6 +25,7 @@ import datetime
import re import re
from openerp import models, fields, api, _, exceptions from openerp import models, fields, api, _, exceptions
from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT
import uuid
class SqlExport(models.Model): class SqlExport(models.Model):
@ -98,10 +99,15 @@ class SqlExport(models.Model):
output = StringIO.StringIO() output = StringIO.StringIO()
query = "COPY (" + obj.query + ") TO STDOUT WITH " + \ query = "COPY (" + obj.query + ") TO STDOUT WITH " + \
obj.copy_options obj.copy_options
name = 'export_query_%s' % uuid.uuid1().hex
self.env.cr.execute("SAVEPOINT %s" % name)
try:
self.env.cr.copy_expert(query, output) self.env.cr.copy_expert(query, output)
output.getvalue() output.getvalue()
new_output = base64.b64encode(output.getvalue()) new_output = base64.b64encode(output.getvalue())
output.close() output.close()
finally:
self.env.cr.execute("ROLLBACK TO SAVEPOINT %s" % name)
wiz = self.env['sql.file.wizard'].create( wiz = self.env['sql.file.wizard'].create(
{ {
'binary_file': new_output, 'binary_file': new_output,
@ -126,9 +132,10 @@ class SqlExport(models.Model):
try: try:
self.env.cr.execute(vals['query']) self.env.cr.execute(vals['query'])
except: except:
self.env.cr.rollback()
raise exceptions.Warning( raise exceptions.Warning(
_("The Sql query is not valid.")) _("The Sql query is not valid."))
finally:
self.env.cr.rollback()
return vals return vals
@api.multi @api.multi

3
sql_export/tests/__init__.py

@ -1,5 +1,2 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from . import test_sql_query from . import test_sql_query
checks = [
test_sql_query
]
Loading…
Cancel
Save