Spaces:

guydav
/

restrictedpython_code_eval

Sleeping

App Files Files Community

guydav commited on Jul 4, 2023

Commit

9c016e9

1 Parent(s): ae3aa83

Fixing a bug

Browse files

Files changed (1) hide show

restrictedpython_code_eval.py +48 -0

restrictedpython_code_eval.py CHANGED Viewed

@@ -155,6 +155,54 @@ class AllowAugmentedAssignAndUnderscoreVariableNamesRestrictingTransformer(Allow
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
     def check_name(self, node, name, allow_magic_methods=False):
         if name is None:
             return

     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+    def visit_Attribute(self, node):
+        """Checks and mutates attribute access/assignment.
+        'a.b' becomes '_getattr_(a, "b")'
+        'a.b = c' becomes '_write_(a).b = c'
+        'del a.b' becomes 'del _write_(a).b'
+        The _write_ function should return a security proxy.
+        """
+        # Overriding here to allow select underscore names
+        if node.attr.startswith('_') and node.attr != '_' and node.attr not in ALLOWED_UNDERSCORE_NAMES:
+            self.error(
+                node,
+                '"{name}" is an invalid attribute name because it starts '
+                'with "_".'.format(name=node.attr))
+        if node.attr.endswith('__roles__'):
+            self.error(
+                node,
+                '"{name}" is an invalid attribute name because it ends '
+                'with "__roles__".'.format(name=node.attr))
+        if isinstance(node.ctx, ast.Load):
+            node = self.node_contents_visit(node)
+            new_node = ast.Call(
+                func=ast.Name('_getattr_', ast.Load()),
+                args=[node.value, ast.Str(node.attr)],
+                keywords=[])
+            copy_locations(new_node, node)
+            return new_node
+        elif isinstance(node.ctx, (ast.Store, ast.Del)):
+            node = self.node_contents_visit(node)
+            new_value = ast.Call(
+                func=ast.Name('_write_', ast.Load()),
+                args=[node.value],
+                keywords=[])
+            copy_locations(new_value, node.value)
+            node.value = new_value
+            return node
+        else:  # pragma: no cover
+            # Impossible Case only ctx Load, Store and Del are defined in ast.
+            raise NotImplementedError(
+                f"Unknown ctx type: {type(node.ctx)}")
     def check_name(self, node, name, allow_magic_methods=False):
         if name is None:
             return