add MutableSequence.{clear,pop} to modifies_known_mutable check

pallets · Dec 19, 2024 · e421793 · e421793
1 parent 1dc04bc
commit e421793
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -26,6 +26,8 @@ Unreleased
     objects. :issue:`2025`
 -   Fix `copy`/`pickle` support for the internal ``missing`` object.
     :issue:`2027`
+-   Sandbox does not allow ``clear`` and ``pop`` on known mutable sequence
+    types. :issue:`2032`
 
 
 Version 3.1.4

diff --git a/src/jinja2/sandbox.py b/src/jinja2/sandbox.py
@@ -60,7 +60,9 @@
     ),
     (
         abc.MutableSequence,
-        frozenset(["append", "reverse", "insert", "sort", "extend", "remove"]),
+        frozenset(
+            ["append", "clear", "pop", "reverse", "insert", "sort", "extend", "remove"]
+        ),
     ),
     (
         deque,

diff --git a/tests/test_security.py b/tests/test_security.py
@@ -58,6 +58,8 @@ def test_unsafe(self, env):
     def test_immutable_environment(self, env):
         env = ImmutableSandboxedEnvironment()
         pytest.raises(SecurityError, env.from_string("{{ [].append(23) }}").render)
+        pytest.raises(SecurityError, env.from_string("{{ [].clear() }}").render)
+        pytest.raises(SecurityError, env.from_string("{{ [1].pop() }}").render)
         pytest.raises(SecurityError, env.from_string("{{ {1:2}.clear() }}").render)
 
     def test_restricted(self, env):