pyoxidizer: validate attribute name before calling set_attr_add_collection_context()

indygreg · indygreg · commit 6f9f6b35a29b · 2022-05-30T19:19:51.000-07:00
This prevents a runtime panic due to bad argument validation. Closes #561.
diff --git a/pyoxidizer/docs/pyoxidizer_history.rst b/pyoxidizer/docs/pyoxidizer_history.rst
@@ -50,6 +50,9 @@ Bug Fixes
 * PyO3 Rust crates upgraded from 0.16.4 to 0.16.5. The upgrade fixes compatibility
   issues with Python 3.10 that could lead to runtime crashes or incorrect behavior
   in many configurations.
+* Fixed a runtime panic when incorrect attribute assignments were attempted on the
+  ``PythonExtensionModule``, ``PythonPackageDistributionResource``, and
+  ``PythonPackageResource`` Starlark types. (#561)
 
 New Features
 ^^^^^^^^^^^^
diff --git a/pyoxidizer/src/starlark/python_extension_module.rs b/pyoxidizer/src/starlark/python_extension_module.rs
@@ -133,6 +133,14 @@ impl TypedValue for PythonExtensionModuleValue {
     }
 
     fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {
-        self.set_attr_add_collection_context(attribute, value)
+        if self.add_collection_context_attrs().contains(&attribute) {
+            self.set_attr_add_collection_context(attribute, value)
+        } else {
+            Err(ValueError::OperationNotSupported {
+                op: UnsupportedOperation::SetAttr(attribute.to_string()),
+                left: Self::TYPE.to_owned(),
+                right: None,
+            })
+        }
     }
 }
diff --git a/pyoxidizer/src/starlark/python_package_distribution_resource.rs b/pyoxidizer/src/starlark/python_package_distribution_resource.rs
@@ -149,6 +149,14 @@ impl TypedValue for PythonPackageDistributionResourceValue {
     }
 
     fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {
-        self.set_attr_add_collection_context(attribute, value)
+        if self.add_collection_context_attrs().contains(&attribute) {
+            self.set_attr_add_collection_context(attribute, value)
+        } else {
+            Err(ValueError::OperationNotSupported {
+                op: UnsupportedOperation::SetAttr(attribute.to_string()),
+                left: Self::TYPE.to_owned(),
+                right: None,
+            })
+        }
     }
 }
diff --git a/pyoxidizer/src/starlark/python_package_resource.rs b/pyoxidizer/src/starlark/python_package_resource.rs
@@ -145,6 +145,14 @@ impl TypedValue for PythonPackageResourceValue {
     }
 
     fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {
-        self.set_attr_add_collection_context(attribute, value)
+        if self.add_collection_context_attrs().contains(&attribute) {
+            self.set_attr_add_collection_context(attribute, value)
+        } else {
+            Err(ValueError::OperationNotSupported {
+                op: UnsupportedOperation::SetAttr(attribute.to_string()),
+                left: Self::TYPE.to_owned(),
+                right: None,
+            })
+        }
     }
 }
diff --git a/pyoxidizer/src/starlark/python_resource.rs b/pyoxidizer/src/starlark/python_resource.rs
@@ -160,6 +160,8 @@ pub trait ResourceCollectionContext {
         })
     }
 
+    // The caller should validate that the attribute is an add collection attribute
+    // before calling. Otherwise a panic can occur.
     fn set_attr_add_collection_context(
         &mut self,
         attribute: &str,

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,14 @@ impl TypedValue for PythonExtensionModuleValue {`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {`
`136`		`- self.set_attr_add_collection_context(attribute, value)`
	`136`	`+ if self.add_collection_context_attrs().contains(&attribute) {`
	`137`	`+ self.set_attr_add_collection_context(attribute, value)`
	`138`	`+ } else {`
	`139`	`+ Err(ValueError::OperationNotSupported {`
	`140`	`+ op: UnsupportedOperation::SetAttr(attribute.to_string()),`
	`141`	`+ left: Self::TYPE.to_owned(),`
	`142`	`+ right: None,`
	`143`	`+ })`
	`144`	`+ }`
`137`	`145`	`}`
`138`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,14 @@ impl TypedValue for PythonPackageDistributionResourceValue {`
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {`
`152`		`- self.set_attr_add_collection_context(attribute, value)`
	`152`	`+ if self.add_collection_context_attrs().contains(&attribute) {`
	`153`	`+ self.set_attr_add_collection_context(attribute, value)`
	`154`	`+ } else {`
	`155`	`+ Err(ValueError::OperationNotSupported {`
	`156`	`+ op: UnsupportedOperation::SetAttr(attribute.to_string()),`
	`157`	`+ left: Self::TYPE.to_owned(),`
	`158`	`+ right: None,`
	`159`	`+ })`
	`160`	`+ }`
`153`	`161`	`}`
`154`	`162`	`}`
Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,14 @@ impl TypedValue for PythonPackageResourceValue {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`fn set_attr(&mut self, attribute: &str, value: Value) -> Result<(), ValueError> {`
`148`		`- self.set_attr_add_collection_context(attribute, value)`
	`148`	`+ if self.add_collection_context_attrs().contains(&attribute) {`
	`149`	`+ self.set_attr_add_collection_context(attribute, value)`
	`150`	`+ } else {`
	`151`	`+ Err(ValueError::OperationNotSupported {`
	`152`	`+ op: UnsupportedOperation::SetAttr(attribute.to_string()),`
	`153`	`+ left: Self::TYPE.to_owned(),`
	`154`	`+ right: None,`
	`155`	`+ })`
	`156`	`+ }`
`149`	`157`	`}`
`150`	`158`	`}`
Original file line number	Diff line number	Diff line change
`@@ -160,6 +160,8 @@ pub trait ResourceCollectionContext {`
`160`	`160`	`})`
`161`	`161`	`}`
`162`	`162`
	`163`	`+ // The caller should validate that the attribute is an add collection attribute`
	`164`	`+ // before calling. Otherwise a panic can occur.`
`163`	`165`	`fn set_attr_add_collection_context(`
`164`	`166`	`&mut self,`
`165`	`167`	`attribute: &str,`