OdooTerminal is not letting me hack! 😋

[yajo]

If I issue this command:

search -m res.partner -o "insert into res_partner(name) values('pwned'); -- " --domain []

This is the payload that is sent over the wire:

{
    "id": 879518458,
    "jsonrpc": "2.0",
    "method": "call",
    "params": {
        "args": [],
        "kwargs": {
            "context": {
                "active_test": false,
                "allowed_company_ids": [
                    1
                ],
                "lang": "en_US",
                "tz": "Europe/Brussels",
                "uid": 2
            },
            "domain": [],
            "fields": [
                "display_name"
            ],
            "order": "insert DESC"
        },
        "method": "search_read",
        "model": "res.partner"
    }
}

You see that "order": "insert DESC"? OdooTerminal hacked my hacking!

It seems to come from this call: https://github.com/Tardo/OdooTerminal/blob/afa4863e9f11d70950a826e4bd8a95c2798877ff/odoo/js/functions/common.js#L1138

It should be removed IMHO, and sent raw, to allow more hacking.

TT31444

[Tardo]

I agree, the extension should not mask these types of conversions. It will be more "tedious" to use, but it will be 100% unadulterated.

In this specific case, the odoo framework expects to receive an array of objects, not a string. But I'm going to try to use some more "low-level" way to bypass these kinds of framework "restrictions".