def is_allowed_getattr(self, name): # TODO this API is ugly. try: attr, is_get_descriptor = getattr_static(self._obj, name) except AttributeError: return False, False else: if is_get_descriptor and type(attr) not in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return True, True return True, False
def is_allowed_getattr(self, name): # TODO this API is ugly. try: attr, is_get_descriptor = getattr_static(self._obj, name) except AttributeError: return False, False else: if is_get_descriptor and type(attr) not in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return True, True return True, False
def safe_getattr(obj, name, default=_sentinel): try: attr, is_get_descriptor = getattr_static(obj, name) except AttributeError: if default is _sentinel: raise return default else: if type(attr) in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return getattr(obj, name) return attr
def safe_getattr(obj, name, default=_sentinel): try: attr, is_get_descriptor = getattr_static(obj, name) except AttributeError: if default is _sentinel: raise return default else: if type(attr) in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return getattr(obj, name) return attr
def get(self, name): name = str(name) obj = self._compiled_object.obj try: attr, is_get_descriptor = getattr_static(obj, name) except AttributeError: return [] else: if is_get_descriptor \ and not type(attr) in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return [EmptyCompiledName(self._evaluator, name)] if self._is_instance and name not in dir(obj): return [] return [self._create_name(name)]
def get(self, name): name = str(name) obj = self._compiled_object.obj try: attr, is_get_descriptor = getattr_static(obj, name) except AttributeError: return [] else: if is_get_descriptor \ and not type(attr) in ALLOWED_DESCRIPTOR_ACCESS: # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. return [EmptyCompiledName(self._evaluator, name)] if self._is_instance and name not in dir(obj): return [] return [self._create_name(name)]
def safe_getattr(obj, name, default=_sentinel): try: attr, is_get_descriptor = getattr_static(obj, name) except AttributeError: if default is _sentinel: raise return default else: if isinstance(attr, ALLOWED_DESCRIPTOR_ACCESS): # In case of descriptors that have get methods we cannot return # it's value, because that would mean code execution. # Since it's an isinstance call, code execution is still possible, # but this is not really a security feature, but much more of a # safety feature. Code execution is basically always possible when # a module is imported. This is here so people don't shoot # themselves in the foot. return getattr(obj, name) return attr