If you have something like the example above, you will get a linter error warning about the danger of SQLi. However, should this be treated as an actual security issue? It is true that methods can introduce a larger security concern than attributes, which are already ignored (https://github.com/OCA/pylint-odoo/pull/122), but in a case like this you will always be forced to completely ignore the linter for that block, which is not a pretty solution.
I don't know if, as this is the standard Odoo behavior and is somewhat controlled, cases like this could also be ignored from the linter. WDYT @moylop260 @nilshamerlinck @Yajo?
The
sql-injection
check is currently detecting some false positives.For example, if you are building an Odoo report, you will end up with something like:
where a SQL query is constructed both from private attributes and private methods.
This is the standard behavior implemented by Odoo in many reports: https://github.com/odoo/odoo/blob/13.0/addons/project/report/project_report.py#L93
If you have something like the example above, you will get a linter error warning about the danger of SQLi. However, should this be treated as an actual security issue? It is true that methods can introduce a larger security concern than attributes, which are already ignored (https://github.com/OCA/pylint-odoo/pull/122), but in a case like this you will always be forced to completely ignore the linter for that block, which is not a pretty solution.
I don't know if, as this is the standard Odoo behavior and is somewhat controlled, cases like this could also be ignored from the linter. WDYT @moylop260 @nilshamerlinck @Yajo?