RestrictedPython 7.2__tar.gz → 7.3__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (106) hide show
  1. {RestrictedPython-7.2 → RestrictedPython-7.3}/CHANGES.rst +11 -0
  2. {RestrictedPython-7.2 → RestrictedPython-7.3}/PKG-INFO +12 -1
  3. {RestrictedPython-7.2 → RestrictedPython-7.3}/setup.py +1 -1
  4. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Guards.py +5 -0
  5. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Utilities.py +5 -1
  6. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/PKG-INFO +12 -1
  7. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/builtins/test_utilities.py +11 -2
  8. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_Guards.py +34 -0
  9. {RestrictedPython-7.2 → RestrictedPython-7.3}/.readthedocs.yaml +0 -0
  10. {RestrictedPython-7.2 → RestrictedPython-7.3}/CONTRIBUTING.md +0 -0
  11. {RestrictedPython-7.2 → RestrictedPython-7.3}/COPYRIGHT.txt +0 -0
  12. {RestrictedPython-7.2 → RestrictedPython-7.3}/LICENSE.txt +0 -0
  13. {RestrictedPython-7.2 → RestrictedPython-7.3}/MANIFEST.in +0 -0
  14. {RestrictedPython-7.2 → RestrictedPython-7.3}/README.rst +0 -0
  15. {RestrictedPython-7.2 → RestrictedPython-7.3}/buildout.cfg +0 -0
  16. {RestrictedPython-7.2 → RestrictedPython-7.3}/constraints.txt +0 -0
  17. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/Makefile +0 -0
  18. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/changes.rst +0 -0
  19. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/conf.py +0 -0
  20. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_10.ast +0 -0
  21. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_11.ast +0 -0
  22. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_12.ast +0 -0
  23. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_6.ast +0 -0
  24. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_7.ast +0 -0
  25. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_8.ast +0 -0
  26. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/ast/python3_9.ast +0 -0
  27. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from310to311.rst +0 -0
  28. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from311to312.rst +0 -0
  29. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from36to37.rst +0 -0
  30. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from37to38.rst +0 -0
  31. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from38to39.rst +0 -0
  32. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/changes_from39to310.rst +0 -0
  33. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/contributing/index.rst +0 -0
  34. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/idea.rst +0 -0
  35. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/index.rst +0 -0
  36. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/install/index.rst +0 -0
  37. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/logo.jpg +0 -0
  38. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/make.bat +0 -0
  39. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/requirements.txt +0 -0
  40. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/roadmap/index.rst +0 -0
  41. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/upgrade_dependencies/index.rst +0 -0
  42. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/usage/api.rst +0 -0
  43. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/usage/basic_usage.rst +0 -0
  44. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/usage/framework_usage.rst +0 -0
  45. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/usage/index.rst +0 -0
  46. {RestrictedPython-7.2 → RestrictedPython-7.3}/docs/usage/policy.rst +0 -0
  47. {RestrictedPython-7.2 → RestrictedPython-7.3}/setup.cfg +0 -0
  48. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Eval.py +0 -0
  49. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Limits.py +0 -0
  50. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/PrintCollector.py +0 -0
  51. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/__init__.py +0 -0
  52. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/_compat.py +0 -0
  53. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/compile.py +0 -0
  54. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/transformer.py +0 -0
  55. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/SOURCES.txt +0 -0
  56. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/dependency_links.txt +0 -0
  57. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/not-zip-safe +0 -0
  58. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/requires.txt +0 -0
  59. {RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/top_level.txt +0 -0
  60. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/__init__.py +0 -0
  61. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/builtins/test_limits.py +0 -0
  62. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/helper.py +0 -0
  63. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_NamedExpr.py +0 -0
  64. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_Utilities.py +0 -0
  65. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_compile.py +0 -0
  66. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_compile_restricted_function.py +0 -0
  67. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_eval.py +0 -0
  68. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_imports.py +0 -0
  69. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_iterating_over_dict_items.py +0 -0
  70. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_print_function.py +0 -0
  71. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_arithmetic_operators.py +0 -0
  72. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_bit_wise_operators.py +0 -0
  73. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_bool_operators.py +0 -0
  74. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_comparison_operators.py +0 -0
  75. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_identity_operators.py +0 -0
  76. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_logical_operators.py +0 -0
  77. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/operators/test_unary_operators.py +0 -0
  78. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_assert.py +0 -0
  79. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_assign.py +0 -0
  80. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_async.py +0 -0
  81. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_attribute.py +0 -0
  82. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_augassign.py +0 -0
  83. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_base_types.py +0 -0
  84. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_breakpoint.py +0 -0
  85. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_call.py +0 -0
  86. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_classdef.py +0 -0
  87. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_comparators.py +0 -0
  88. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_conditional.py +0 -0
  89. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_dict_comprehension.py +0 -0
  90. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_eval_exec.py +0 -0
  91. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_fstring.py +0 -0
  92. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_functiondef.py +0 -0
  93. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_generic.py +0 -0
  94. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_global_local.py +0 -0
  95. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_import.py +0 -0
  96. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_inspect.py +0 -0
  97. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_iterator.py +0 -0
  98. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_lambda.py +0 -0
  99. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_loop.py +0 -0
  100. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_name.py +0 -0
  101. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_slice.py +0 -0
  102. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_subscript.py +0 -0
  103. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_try.py +0 -0
  104. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_with_stmt.py +0 -0
  105. {RestrictedPython-7.2 → RestrictedPython-7.3}/tests/transformer/test_yield.py +0 -0
  106. {RestrictedPython-7.2 → RestrictedPython-7.3}/tox.ini +0 -0
{RestrictedPython-7.2 → RestrictedPython-7.3}/CHANGES.rst RENAMED
@@ -1,6 +1,17 @@
1
1
  Changes
2
2
  =======
3
3
 
4
+ 7.3 (2024-09-30)
5
+ ----------------
6
+
7
+ - Increase the safety level of ``safer_getattr`` allowing applications to use
8
+ it as ``getattr`` implementation. Such use should now follow the same policy
9
+ and give the same level of protection as direct attribute access in an
10
+ environment based on ``RestrictedPython``'s ``safe_builtints``.
11
+ - Prevent information leakage via ``AttributeError.obj``
12
+ and the ``string`` module.
13
+
14
+
4
15
  7.2 (2024-08-02)
5
16
  ----------------
6
17
 
{RestrictedPython-7.2 → RestrictedPython-7.3}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: RestrictedPython
3
- Version: 7.2
3
+ Version: 7.3
4
4
  Summary: RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.
5
5
  Home-page: https://github.com/zopefoundation/RestrictedPython
6
6
  Author: Zope Foundation and Contributors
@@ -124,6 +124,17 @@ the documentation `Contributing page
124
124
  Changes
125
125
  =======
126
126
 
127
+ 7.3 (2024-09-30)
128
+ ----------------
129
+
130
+ - Increase the safety level of ``safer_getattr`` allowing applications to use
131
+ it as ``getattr`` implementation. Such use should now follow the same policy
132
+ and give the same level of protection as direct attribute access in an
133
+ environment based on ``RestrictedPython``'s ``safe_builtints``.
134
+ - Prevent information leakage via ``AttributeError.obj``
135
+ and the ``string`` module.
136
+
137
+
127
138
  7.2 (2024-08-02)
128
139
  ----------------
129
140
 
{RestrictedPython-7.2 → RestrictedPython-7.3}/setup.py RENAMED
@@ -30,7 +30,7 @@ tests_require = [
30
30
  ]
31
31
 
32
32
  setup(name='RestrictedPython',
33
- version='7.2',
33
+ version='7.3',
34
34
  url='https://github.com/zopefoundation/RestrictedPython',
35
35
  license='ZPL 2.1',
36
36
  description=(
{RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Guards.py RENAMED
@@ -18,6 +18,7 @@
18
18
  import builtins
19
19
 
20
20
  from RestrictedPython._compat import IS_PY311_OR_GREATER
21
+ from RestrictedPython.transformer import INSPECT_ATTRIBUTES
21
22
 
22
23
 
23
24
  safe_builtins = {}
@@ -253,6 +254,10 @@ def safer_getattr(object, name, default=None, getattr=getattr):
253
254
  (isinstance(object, type) and issubclass(object, str))):
254
255
  raise NotImplementedError(
255
256
  'Using the format*() methods of `str` is not safe')
257
+ if name in INSPECT_ATTRIBUTES:
258
+ raise AttributeError(
259
+ f'"{name}" is a restricted name,'
260
+ ' that is forbidden to access in RestrictedPython.')
256
261
  if name.startswith('_'):
257
262
  raise AttributeError(
258
263
  '"{name}" is an invalid attribute name because it '
{RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython/Utilities.py RENAMED
@@ -29,7 +29,11 @@ class _AttributeDelegator:
29
29
  if attr in self.__excludes:
30
30
  raise NotImplementedError(
31
31
  f"{self.__mod.__name__}.{attr} is not safe")
32
- return getattr(self.__mod, attr)
32
+ try:
33
+ return getattr(self.__mod, attr)
34
+ except AttributeError as e:
35
+ e.obj = self
36
+ raise
33
37
 
34
38
 
35
39
  utility_builtins['string'] = _AttributeDelegator(string, "Formatter")
{RestrictedPython-7.2 → RestrictedPython-7.3}/src/RestrictedPython.egg-info/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: RestrictedPython
3
- Version: 7.2
3
+ Version: 7.3
4
4
  Summary: RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.
5
5
  Home-page: https://github.com/zopefoundation/RestrictedPython
6
6
  Author: Zope Foundation and Contributors
@@ -124,6 +124,17 @@ the documentation `Contributing page
124
124
  Changes
125
125
  =======
126
126
 
127
+ 7.3 (2024-09-30)
128
+ ----------------
129
+
130
+ - Increase the safety level of ``safer_getattr`` allowing applications to use
131
+ it as ``getattr`` implementation. Such use should now follow the same policy
132
+ and give the same level of protection as direct attribute access in an
133
+ environment based on ``RestrictedPython``'s ``safe_builtints``.
134
+ - Prevent information leakage via ``AttributeError.obj``
135
+ and the ``string`` module.
136
+
137
+
127
138
  7.2 (2024-08-02)
128
139
  ----------------
129
140
 
{RestrictedPython-7.2 → RestrictedPython-7.3}/tests/builtins/test_utilities.py RENAMED
@@ -7,8 +7,17 @@ def test_string_in_utility_builtins():
7
7
  from RestrictedPython.Utilities import utility_builtins
8
8
 
9
9
  # we no longer provide access to ``string`` itself, only to
10
- # a restricted view of it
11
- assert utility_builtins['string'].__name__ == string.__name__
10
+ # a restricted view of it (``rstring``)
11
+ rstring = utility_builtins['string']
12
+ assert rstring.__name__ == string.__name__
13
+
14
+ # ensure it does not provide access to ``string`` via
15
+ # ``AttributeError.obj``
16
+ try:
17
+ rstring.unexisting_attribute
18
+ except AttributeError as e:
19
+ assert e.obj is rstring
20
+
12
21
 
13
22
 
14
23
  def test_math_in_utility_builtins():
{RestrictedPython-7.2 → RestrictedPython-7.3}/tests/test_Guards.py RENAMED
@@ -295,6 +295,40 @@ def test_Guards__safer_getattr__4():
295
295
  assert 'type(name) must be str' == str(err.value)
296
296
 
297
297
 
298
+ SAFER_GETATTR_BREAKOUT2 = """\
299
+ g = None
300
+ leak = None
301
+ def test():
302
+ global g, leak
303
+ leak = getattr(getattr(getattr(g, "gi_frame"), "f_back"), "f_back")
304
+ yield leak
305
+ g = test()
306
+ g.send(None)
307
+ os = getattr(leak, "f_builtins").get('__import__')('os')
308
+ result = os.getgid()
309
+ """
310
+
311
+
312
+ def test_Guards__safer_getattr__5():
313
+ restricted_globals = dict(
314
+ __builtins__=safe_builtins,
315
+ __name__=None,
316
+ __metaclass__=type,
317
+ # _write_=_write_,
318
+ getattr=safer_getattr,
319
+ result=None,
320
+ )
321
+
322
+ # restricted_exec(SAFER_GETATTR_BREAKOUT2, restricted_globals)
323
+ # assert restricted_globals['result'] == 20
324
+ with pytest.raises(AttributeError) as err:
325
+ restricted_exec(SAFER_GETATTR_BREAKOUT2, restricted_globals)
326
+ assert (
327
+ '"gi_frame" is a restricted name, '
328
+ 'that is forbidden to access in RestrictedPython.'
329
+ ) == str(err.value)
330
+
331
+
298
332
  def test_call_py3_builtins():
299
333
  """It should not be allowed to access global builtins in Python3."""
300
334
  result = compile_restricted_exec('builtins["getattr"]')
{RestrictedPython-7.2 → RestrictedPython-7.3}/setup.cfg RENAMED
File without changes
{RestrictedPython-7.2 → RestrictedPython-7.3}/tox.ini RENAMED
File without changes