Fix SQL injection lint in 18.0.1.0.0 pre-migrate.py

OCA · Oct 21, 2024 · c0b4648 · c0b4648
1 parent 3693704
commit c0b4648
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/queue_job/migrations/18.0.1.0.0/pre-migrate.py b/queue_job/migrations/18.0.1.0.0/pre-migrate.py
@@ -1,5 +1,7 @@
 from openupgradelib import openupgrade
 
+from odoo.tools import SQL
+
 
 def migrate(cr, version):
     if not version:
@@ -14,8 +16,14 @@ def migrate(cr, version):
     for table, columns in table_column_map.items():
         for column in columns:
             if openupgrade.column_exists(cr, table, column):
-                cr.execute(f"""
-                    UPDATE {table}
-                    SET {column} = {column}::jsonb
-                    WHERE {column} IS NOT NULL
-                """)
+                cr.execute(
+                    SQL(
+                        """
+                    UPDATE %(table)s
+                    SET %(column)s = %(column)s::jsonb
+                    WHERE %(column)s IS NOT NULL
+                """,
+                        table=SQL.identifier(table),
+                        column=SQL.identifier(column),
+                    )
+                )