From e4217934dbf53d385682f41f29bf45b19e6d7c0d Mon Sep 17 00:00:00 2001 From: Dylan Scott Date: Fri, 4 Oct 2024 13:17:07 -0700 Subject: [PATCH] add MutableSequence.{clear,pop} to modifies_known_mutable check --- CHANGES.rst | 2 ++ src/jinja2/sandbox.py | 4 +++- tests/test_security.py | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 1a1a526b5..f48eb0399 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -26,6 +26,8 @@ Unreleased objects. :issue:`2025` - Fix `copy`/`pickle` support for the internal ``missing`` object. :issue:`2027` +- Sandbox does not allow ``clear`` and ``pop`` on known mutable sequence + types. :issue:`2032` Version 3.1.4 diff --git a/src/jinja2/sandbox.py b/src/jinja2/sandbox.py index ce276156c..8200195db 100644 --- a/src/jinja2/sandbox.py +++ b/src/jinja2/sandbox.py @@ -60,7 +60,9 @@ ), ( abc.MutableSequence, - frozenset(["append", "reverse", "insert", "sort", "extend", "remove"]), + frozenset( + ["append", "clear", "pop", "reverse", "insert", "sort", "extend", "remove"] + ), ), ( deque, diff --git a/tests/test_security.py b/tests/test_security.py index 0e8dc5c03..9c7c4427a 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -58,6 +58,8 @@ def test_unsafe(self, env): def test_immutable_environment(self, env): env = ImmutableSandboxedEnvironment() pytest.raises(SecurityError, env.from_string("{{ [].append(23) }}").render) + pytest.raises(SecurityError, env.from_string("{{ [].clear() }}").render) + pytest.raises(SecurityError, env.from_string("{{ [1].pop() }}").render) pytest.raises(SecurityError, env.from_string("{{ {1:2}.clear() }}").render) def test_restricted(self, env):