From 094d78dfd2d8c6a110ee8c28576e4b007e0165f8 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Mon, 1 Sep 2025 16:01:40 +0530
Subject: [PATCH 1/2] fix(user_profile): validate fields received by the API

Only allow certain strings

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 eps/eps/doctype/energy_point_log/energy_point_log.py |  2 +-
 eps/eps/page/user_profile/user_profile.py            | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/eps/eps/doctype/energy_point_log/energy_point_log.py b/eps/eps/doctype/energy_point_log/energy_point_log.py
index 4693fb0..6ba6012 100644
--- a/eps/eps/doctype/energy_point_log/energy_point_log.py
+++ b/eps/eps/doctype/energy_point_log/energy_point_log.py
@@ -394,4 +394,4 @@ def get_footer_message(timespan):
 
 
 def delete_energy_point_logs_for_user(user, event):
-    frappe.db.delete("Energy Point Log", {"user": user.name})
+	frappe.db.delete("Energy Point Log", {"user": user.name})
diff --git a/eps/eps/page/user_profile/user_profile.py b/eps/eps/page/user_profile/user_profile.py
index 3013df5..e6869fd 100644
--- a/eps/eps/page/user_profile/user_profile.py
+++ b/eps/eps/page/user_profile/user_profile.py
@@ -7,7 +7,7 @@
 
 
 @frappe.whitelist()
-def get_energy_points_heatmap_data(user, date):
+def get_energy_points_heatmap_data(user: str, date: str | None):
 	try:
 		date = getdate(date)
 	except Exception:
@@ -29,7 +29,10 @@ def get_energy_points_heatmap_data(user, date):
 
 
 @frappe.whitelist()
-def get_energy_points_percentage_chart_data(user, field):
+def get_energy_points_percentage_chart_data(user: str, field: str):
+	if field not in ("type", "reference_doctype", "rule"):
+		frappe.throw("Invalid field for grouping")
+
 	result = frappe.get_all(
 		"Energy Point Log",
 		filters={"user": user, "type": ["!=", "Review"]},
@@ -46,7 +49,7 @@ def get_energy_points_percentage_chart_data(user, field):
 
 
 @frappe.whitelist()
-def get_user_rank(user):
+def get_user_rank(user: str):
 	month_start = datetime.today().replace(day=1)
 	monthly_rank = frappe.get_all(
 		"Energy Point Log",
@@ -88,7 +91,7 @@ def update_profile_info(profile_info):
 
 
 @frappe.whitelist()
-def get_energy_points_list(start, limit, user):
+def get_energy_points_list(start: int, limit: int, user: str):
 	return frappe.db.get_list(
 		"Energy Point Log",
 		filters={"user": user, "type": ["!=", "Review"]},

From 169403b4aa61666af5907a5499db9e4b7dec6cea Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 3 Sep 2025 15:18:31 +0530
Subject: [PATCH 2/2] fix(semgrep): translate string

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 eps/eps/page/user_profile/user_profile.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eps/eps/page/user_profile/user_profile.py b/eps/eps/page/user_profile/user_profile.py
index e6869fd..3cf96bb 100644
--- a/eps/eps/page/user_profile/user_profile.py
+++ b/eps/eps/page/user_profile/user_profile.py
@@ -31,7 +31,7 @@ def get_energy_points_heatmap_data(user: str, date: str | None):
 @frappe.whitelist()
 def get_energy_points_percentage_chart_data(user: str, field: str):
 	if field not in ("type", "reference_doctype", "rule"):
-		frappe.throw("Invalid field for grouping")
+		frappe.throw(frappe._("Invalid field for grouping"))
 
 	result = frappe.get_all(
 		"Energy Point Log",