Merge pull request frappe#13392 from frappe/v12-pre-release

surajshetty3416 · web-flow · commit efe89f2fce07 · 2021-06-01T11:15:19.000+05:30
diff --git a/frappe/__init__.py b/frappe/__init__.py
@@ -23,7 +23,7 @@
 	reload(sys)
 	sys.setdefaultencoding("utf-8")
 
-__version__ = '12.18.0'
+__version__ = '12.18.1'
 __title__ = "Frappe Framework"
 
 local = Local()
@@ -1559,6 +1559,23 @@ def safe_eval(code, eval_globals=None, eval_locals=None):
 		"round": round
 	}
 
+	UNSAFE_ATTRIBUTES = {
+		# Generator Attributes
+		"gi_frame", "gi_code",
+		# Coroutine Attributes
+		"cr_frame", "cr_code", "cr_origin",
+		# Async Generator Attributes
+		"ag_code", "ag_frame",
+		# Traceback Attributes
+		"tb_frame", "tb_next",
+		# Format Attributes
+		"format", "format_map",
+	}
+
+	for attribute in UNSAFE_ATTRIBUTES:
+		if attribute in code:
+			throw('Illegal rule {0}. Cannot use "{1}"'.format(bold(code), attribute))
+
 	if '__' in code:
 		throw('Illegal rule {0}. Cannot use "__"'.format(bold(code)))
 
diff --git a/frappe/utils/safe_exec.py b/frappe/utils/safe_exec.py
@@ -44,7 +44,9 @@ def get_safe_globals():
 
 	out = frappe._dict(
 		# make available limited methods of frappe
-		json = json,
+		json = frappe._dict(
+			loads = json.loads,
+			dumps = json.dumps),
 		dict = dict,
 		frappe =  frappe._dict(
 			flags = frappe._dict(),
@@ -119,6 +121,7 @@ def get_safe_globals():
 	# default writer allows write access
 	out._write_ = _write
 	out._getitem_ = _getitem
+	out._getattr_ = _getattr
 
 	# allow iterators and list comprehension
 	out._getiter_ = iter
@@ -134,6 +137,27 @@ def _getitem(obj, key):
 		raise SyntaxError('Key starts with _')
 	return obj[key]
 
+def _getattr(object, name, default=None):
+	# guard function for RestrictedPython
+	# allow any key to be accessed as long as
+	# 1. it does not start with an underscore (safer_getattr)
+	# 2. it is not an UNSAFE_ATTRIBUTES
+
+	UNSAFE_ATTRIBUTES = {
+		# Generator Attributes
+		"gi_frame", "gi_code",
+		# Coroutine Attributes
+		"cr_frame", "cr_code", "cr_origin",
+		# Async Generator Attributes
+		"ag_code", "ag_frame",
+		# Traceback Attributes
+		"tb_frame", "tb_next",
+	}
+
+	if isinstance(name, str) and (name in UNSAFE_ATTRIBUTES):
+		raise SyntaxError("{name} is an unsafe attribute".format(name=name))
+	return RestrictedPython.Guards.safer_getattr(object, name, default=default)
+
 def _write(obj):
 	# guard function for RestrictedPython
 	# allow writing to any object
@@ -255,4 +279,4 @@ def add_module_properties(module, data, filter_method):
 "md_to_html",
 "is_subset",
 "generate_hash"
-)
+)
