From b43a037777fe7c5aff785ff33d5f33ab931becad Mon Sep 17 00:00:00 2001 From: Hyrin-mansoor Date: Sat, 13 Jun 2026 20:16:20 +0300 Subject: [PATCH 1/4] Fixed SQL Security issues --- changai/changai/api/v2/schema_utils.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/changai/changai/api/v2/schema_utils.py b/changai/changai/api/v2/schema_utils.py index 3756a91..cb88b18 100644 --- a/changai/changai/api/v2/schema_utils.py +++ b/changai/changai/api/v2/schema_utils.py @@ -193,12 +193,12 @@ def is_doctype_schema_changed(doc,last_sync): custom_field_modified = frappe.db.get_value( "Custom Field", {"dt": doc}, - "max(modified)" + {"max": "modified"} ) property_setter_modified = frappe.db.get_value( "Property Setter", {"doc_type": doc}, - "max(modified)" + {"max": "modified"} ) latest = max( [ @@ -220,7 +220,7 @@ def is_master_data_changed(last_sync): latest_modified = frappe.db.get_value( doc, {}, - "max(modified)" + {"max": "modified"} ) return bool(getdate(latest_modified) > getdate(last_sync)) if latest_modified and last_sync else False return False From 89098248e39a7adfe73252c867f863d006a6ce63 Mon Sep 17 00:00:00 2001 From: Hyrin-mansoor Date: Sat, 13 Jun 2026 20:23:25 +0300 Subject: [PATCH 2/4] Fixed SQL Security issues on V16 --- changai/changai/api/v2/schema_utils.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/changai/changai/api/v2/schema_utils.py b/changai/changai/api/v2/schema_utils.py index cb88b18..bf44ee2 100644 --- a/changai/changai/api/v2/schema_utils.py +++ b/changai/changai/api/v2/schema_utils.py @@ -193,12 +193,12 @@ def is_doctype_schema_changed(doc,last_sync): custom_field_modified = frappe.db.get_value( "Custom Field", {"dt": doc}, - {"max": "modified"} + {"MAX": "modified"} ) property_setter_modified = frappe.db.get_value( "Property Setter", {"doc_type": doc}, - {"max": "modified"} + {"MAX": "modified"} ) latest = max( [ @@ -220,7 +220,7 @@ def is_master_data_changed(last_sync): latest_modified = frappe.db.get_value( doc, {}, - {"max": "modified"} + {"MAX": "modified"} ) return bool(getdate(latest_modified) > getdate(last_sync)) if latest_modified and last_sync else False return False From 48b122b9061a7aa8d441537978a44e291e2d128a Mon Sep 17 00:00:00 2001 From: Hyrin-mansoor Date: Sat, 13 Jun 2026 20:46:22 +0300 Subject: [PATCH 3/4] Fixed SQL Security issues on V16 --- changai/changai/api/v2/schema_utils.py | 67 ++++++++++++-------------- 1 file changed, 32 insertions(+), 35 deletions(-) diff --git a/changai/changai/api/v2/schema_utils.py b/changai/changai/api/v2/schema_utils.py index bf44ee2..4dd5d23 100644 --- a/changai/changai/api/v2/schema_utils.py +++ b/changai/changai/api/v2/schema_utils.py @@ -184,45 +184,42 @@ def validate_sql_schema(sql: str, dialect: str = "mysql") -> dict: ] -def is_doctype_schema_changed(doc,last_sync): - doctype_modified = frappe.db.get_value( - "DocType", - doc, - "modified" - ) - custom_field_modified = frappe.db.get_value( - "Custom Field", - {"dt": doc}, - {"MAX": "modified"} - ) - property_setter_modified = frappe.db.get_value( - "Property Setter", - {"doc_type": doc}, - {"MAX": "modified"} - ) - latest = max( - [ - d for d in [ - doctype_modified, - custom_field_modified, - property_setter_modified - ] if d - ], - default=None - ) - if latest and last_sync and bool(getdate(latest) > getdate(last_sync)): - return True - return False +def is_doctype_schema_changed(doc, last_sync): + from frappe.utils import get_datetime + + doctype_modified = frappe.db.get_value("DocType", doc, "modified") + + custom_field_modified = frappe.db.sql( + "SELECT MAX(modified) FROM `tabCustom Field` WHERE dt = %s", + doc + )[0][0] + + property_setter_modified = frappe.db.sql( + "SELECT MAX(modified) FROM `tabProperty Setter` WHERE doc_type = %s", + doc + )[0][0] + + candidates = [ + get_datetime(d) for d in [ + doctype_modified, + custom_field_modified, + property_setter_modified + ] if d + ] + + latest = max(candidates, default=None) + return bool(latest and last_sync and latest > get_datetime(last_sync)) def is_master_data_changed(last_sync): + from frappe.utils import get_datetime + for doc in MASTER_DOCTYPES: - latest_modified = frappe.db.get_value( - doc, - {}, - {"MAX": "modified"} - ) - return bool(getdate(latest_modified) > getdate(last_sync)) if latest_modified and last_sync else False + latest_modified = frappe.db.sql( + f"SELECT MAX(modified) FROM `tab{doc}`" + )[0][0] + if latest_modified and last_sync and get_datetime(latest_modified) > get_datetime(last_sync): + return True return False From bd1711df2d69cea4d22c7ac8a5759f644d85431a Mon Sep 17 00:00:00 2001 From: Hyrin-mansoor Date: Sat, 13 Jun 2026 21:28:54 +0300 Subject: [PATCH 4/4] Fixed dependencies upper limites --- pyproject.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 63b4126..d309e71 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,18 +1,18 @@ [project] name = "changai" authors = [ - { name = "ERpGulf", email = "support@erpgulf.com"} + { name = "ERPGulf", email = "support@erpgulf.com"} ] description = "ChangAI" readme = "README.md" dynamic = ["version"] dependencies = [ "cffi", - "openai>=1.64.0,<2.0.0", - "anthropic>=0.79.0,<1.0.0", - "google-genai<2.0.0", + "openai", + "anthropic", + "google-genai", "google-auth", - "google-cloud-aiplatform<2.0.0", + "google-cloud-aiplatform", "langchain-core", "langchain-community", "langchain-huggingface", @@ -20,7 +20,7 @@ dependencies = [ "symspellpy", "transformers", "sentence-transformers", - "faiss-cpu<2.0.0", + "faiss-cpu", "numpy", "sqlglot", "boto3",