zopefoundation / RestrictedPython / 18631406064

##############################################################################

#

# Copyright (c) 2002 Zope Foundation and Contributors.

#

# This software is subject to the provisions of the Zope Public License,

# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.

# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED

# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS

# FOR A PARTICULAR PURPOSE

#

##############################################################################

"""

transformer module:

uses Python standard library ast module and its containing classes to transform

the parsed python code to create a modified AST for a byte code generation.

"""

# For AugAssign the operator must be converted to a string.

    ast.Add: '+=',

    ast.Sub: '-=',

    ast.Mult: '*=',

    ast.Div: '/=',

    ast.Mod: '%=',

    ast.Pow: '**=',

    ast.LShift: '<<=',

    ast.RShift: '>>=',

    ast.BitOr: '|=',

    ast.BitXor: '^=',

    ast.BitAnd: '&=',

    ast.FloorDiv: '//=',

    ast.MatMult: '@=',

}

# For creation allowed magic method names. See also

# https://docs.python.org/3/reference/datamodel.html#special-method-names

    '__init__',

    '__contains__',

    '__lt__',

    '__le__',

    '__eq__',

    '__ne__',

    '__gt__',

    '__ge__',

])

    'print',

    'printed',

    'builtins',

    'breakpoint',

])

# Attributes documented in the `inspect` module, but defined on the listed

# objects. See also https://docs.python.org/3/library/inspect.html

    # on traceback objects:

    "tb_frame",

    # "tb_lasti",  # int

    # "tb_lineno",  # int

    "tb_next",

    # on frame objects:

    "f_back",

    "f_builtins",

    "f_code",

    "f_generator",

    "f_globals",

    # "f_lasti",  # int

    # "f_lineno",  # int

    "f_locals",

    "f_trace",

    # on code objects:

    # "co_argcount",  # int

    "co_code",

    # "co_cellvars",  # tuple of str

    # "co_consts",   # tuple of str

    # "co_filename",  # str

    # "co_firstlineno",  # int

    # "co_flags",  # int

    # "co_lnotab",  # mapping between ints and indices

    # "co_freevars",  # tuple of strings

    # "co_posonlyargcount",  # int

    # "co_kwonlyargcount",  # int

    # "co_name",  # str

    # "co_qualname",  # str

    # "co_names",  # str

    # "co_nlocals",  # int

    # "co_stacksize",  # int

    # "co_varnames",  # tuple of str

    # on generator objects:

    "gi_frame",

    # "gi_running",  # bool

    # "gi_suspended",  # bool

    "gi_code",

    "gi_yieldfrom",

    # on coroutine objects:

    "cr_await",

    "cr_frame",

    # "cr_running",  # bool

    "cr_code",

    "cr_origin",

])

# When new ast nodes are generated they have no 'lineno', 'end_lineno',

# 'col_offset' and 'end_col_offset'. This function copies these fields from the

# incoming node:

        finally:

        # All the variables used by the incoming source.

        # Internal names/variables, like the ones from 'gen_tmp_name', don't

        # have to be added.

        # 'used_names' is for example needed by 'RestrictionCapableEval' to

        # know wich names it has to supply when calling the final code.

        # Global counter to construct temporary variable names.

        # 'check_name' ensures that no variable is prefixed with '_'.

        # => Its safe to use '_tmp..' as a temporary variable.

        """Record a security error discovered during transformation."""

            f'Line {lineno}: {info}')

        """Record a security error discovered during transformation."""

            f'Line {lineno}: {info}')

        """

        Converts:

            for x in expr

        to

            for x in _getiter_(expr)

        Also used for

        * list comprehensions

        * dict comprehensions

        * set comprehensions

        * generator expresions

        """

                func=ast.Name('_iter_unpack_sequence_', ast.Load()),

                args=[node.iter, spec, ast.Name('_getiter_', ast.Load())],

                keywords=[])

        else:

                func=ast.Name("_getiter_", ast.Load()),

                args=[node.iter],

                keywords=[])

        """Generate a specification for 'guarded_unpack_sequence'.

        This spec is used to protect sequence unpacking.

        The primary goal of this spec is to tell which elements in a sequence

        are sequences again. These 'child' sequences have to be protected

        again.

        For example there is a sequence like this:

            (a, (b, c), (d, (e, f))) = g

        On a higher level the spec says:

            - There is a sequence of len 3

            - The element at index 1 is a sequence again with len 2

            - The element at index 2 is a sequence again with len 2

              - The element at index 1 in this subsequence is a sequence again

                with len 2

        With this spec 'guarded_unpack_sequence' does something like this for

        protection (len checks are omitted):

            t = list(_getiter_(g))

            t[1] = list(_getiter_(t[1]))

            t[2] = list(_getiter_(t[2]))

            t[2][1] = list(_getiter_(t[2][1]))

            return t

        The 'real' spec for the case above is then:

            spec = {

                'min_len': 3,

                'childs': (

                    (1, {'min_len': 2, 'childs': ()}),

                    (2, {

                            'min_len': 2,

                            'childs': (

                                (1, {'min_len': 2, 'childs': ()})

                            )

                        }

                    )

                )

            }

        So finally the assignment above is converted into:

            (a, (b, c), (d, (e, f))) = guarded_unpack_sequence(g, spec)

        """

        # starred elements in a sequence do not contribute into the min_len.

        # For example a, b, *c = g

        # g must have at least 2 elements, not 3. 'c' is empyt if g has only 2.

            # After a starred element specify the child index from the back.

            # Since it is unknown how many elements from the sequence are

            # consumed by the starred element.

            # For example a, *b, (c, d) = g

            # Then (c, d) has the index '-1'

            func=ast.Name('_unpack_sequence_', ast.Load()),

            args=[value, spec, ast.Name('_getiter_', ast.Load())],

            keywords=[])

        """Helper function to protect tuple unpacks.

        node: used to copy the locations for the new nodes.

        target: is the tuple which must be protected.

        It returns a tuple with two element.

        Element 1: Is a temporary name node which must be used to

                   replace the target.

                   The context (store, param) is defined

                   by the 'ctx' parameter..

        Element 2: Is a try .. finally where the body performs the

                   protected tuple unpack of the temporary variable

                   into the original target.

        """

        # Generate a tmp name to replace the tuple with.

        # Generates an expressions which protects the unpack.

        # converter looks like 'wrapper(tmp_name)'.

        # 'wrapper' takes care to protect sequence unpacking with _getiter_.

            target,

            ast.Name(tmp_name, ast.Load()))

        # Assign the expression to the original names.

        # Cleanup the temporary variable.

        # Generates:

        # try:

        #     # converter is 'wrapper(tmp_name)'

        #     arg = converter

        # finally:

        #     del tmp_arg

            body=try_body, finalbody=finalbody, handlers=[], orelse=[])

        # This node is used to catch the tuple in a tmp variable.

        """Transform slices into function parameters.

        ast.Slice nodes are only allowed within a ast.Subscript node.

        To use a slice as an argument of ast.Call it has to be converted.

        Conversion is done by calling the 'slice' function from builtins

        """

            # Python 3.9+

            # Create a python slice object.

            else:

            else:

            else:

                func=ast.Name('slice', ast.Load()),

                args=args,

                keywords=[])

        else:  # pragma: no cover

            # Index, Slice and ExtSlice are only defined Slice types.

            raise NotImplementedError(f"Unknown slice type: {slice_}")

        """Check names if they are allowed.

        If ``allow_magic_methods is True`` names in `ALLOWED_FUNC_NAMES`

        are additionally allowed although their names start with `_`.

        """

                and name != '_'

                and not (allow_magic_methods

                         and name in ALLOWED_FUNC_NAMES

                         and node.col_offset != 0)):

                node,

                '"{name}" is an invalid variable name because it '

                'starts with "_"'.format(name=name))

                       'it ends with "__roles__".' % name)

        """Check the names being imported.

        This is a protection against rebinding dunder names like

        _getitem_, _write_ via imports.

        => 'from _a import x' is ok, because '_a' is not added to the scope.

        """

            # Add '_print = _print_(_getattr_)' add the top of a

            # function/module.

                targets=[ast.Name('_print', ast.Store())],

                value=ast.Call(

                    func=ast.Name("_print_", ast.Load()),

                    args=[ast.Name("_getattr_", ast.Load())],

                    keywords=[]))

            else:

    # Special Functions for an ast.NodeTransformer

        """Reject ast nodes which do not have a corresponding `visit_` method.

        This is needed to prevent new ast nodes from new Python versions to be

        trusted before any security review.

        To access `generic_visit` on the super class use `node_contents_visit`.

        """

            node,

            '{0.__class__.__name__}'

            ' statement is not known to RestrictedPython'.format(node)

        )

            node,

            f'{node.__class__.__name__} statements are not allowed.')

        """Visit the contents of a node."""

    # ast for Literals

        """Allow constant literals with restriction for Ellipsis.

        Constant replaces Num, Str, Bytes, NameConstant and Ellipsis in

        Python 3.8+.

        :see: https://docs.python.org/dev/whatsnew/3.8.html#deprecated

        """

            # Deny using `...`.

            # Special handling necessary as ``self.not_allowed(node)``

            # would return the Error Message:

            # 'Constant statements are not allowed.'

            # which is only partial true.

        """Allow single mode without restrictions."""

        """Allow list literals without restrictions."""

        """Allow tuple literals without restrictions."""

        """Allow set literals without restrictions."""

        """Allow dict literals without restrictions."""

        """Allow f-strings without restrictions."""

        """Template strings are allowed by default.

        As Template strings are a very basic template mechanism, that needs

        additional rendering logic to be useful, they are not blocked by

        default.

        Those rendering logic would be affected by RestrictedPython as well.

        """

            node,

            'TemplateStr statements are not yet allowed, '

            'please use f-strings or a real template engine instead.')

        # self.not_allowed(node)

        """Interpolations are allowed by default.

        As Interpolations are part of Template Strings, they are needed

        to be reached in the context of RestrictedPython as Template Strings

        are allowed. As a user has to provide additional rendering logic

        to make use of Template Strings, the security implications of

        Interpolations are limited in the context of RestrictedPython.

        """

        # self.not_allowed(node)

        """Allow joined string without restrictions."""

    # ast for Variables

        """Prevents access to protected names.

        Converts use of the name 'printed' to this expression: '_print()'

        """

                    func=ast.Name("_print", ast.Load()),

                    args=[],

                    keywords=[])

                    value=ast.Name('_print', ast.Load()),

                    attr="_call_print",

                    ctx=ast.Load())

        """

        """

        """

        """

        """

        """

        """

        """

    # Expressions

        """Allow Expression statements without restrictions.

        They are in the AST when using the `eval` compile mode.

        """

        """Allow Expr statements (any expression) without restrictions."""

        """

        UnaryOp (Unary Operations) is the overall element for:

        * Not --> which should be allowed

        * UAdd --> Positive notation of variables (e.g. +var)

        * USub --> Negative notation of variables (e.g. -var)

        """

        """Allow positive notation of variables. (e.g. +var)"""

        """Allow negative notation of variables. (e.g. -var)"""

        """Allow the `not` operator."""

        """Allow `~` expressions."""

        """Allow binary operations."""

        """Allow `+` expressions."""

        """Allow `-` expressions."""

        """Allow `*` expressions."""

        """Allow `/` expressions."""

        """Allow `//` expressions."""

        """Allow `%` expressions."""

        """Allow `**` expressions."""

        """Allow `<<` expressions."""

        """Allow `>>` expressions."""

        """Allow `|` expressions."""

        """Allow `^` expressions."""

        """Allow `&` expressions."""

        """Allow multiplication (`@`)."""

        """Allow bool operator without restrictions."""

        """Allow bool operator `and` without restrictions."""

        """Allow bool operator `or` without restrictions."""

        """Allow comparison expressions without restrictions."""

        """Allow == expressions."""

        """Allow != expressions."""

        """Allow < expressions."""

        """Allow <= expressions."""

        """Allow > expressions."""

        """Allow >= expressions."""

        """Allow `is` expressions."""

        """Allow `is not` expressions."""

        """Allow `in` expressions."""

        """Allow `not in` expressions."""

        """Checks calls with '*args' and '**kwargs'.

        Note: The following happens only if '*args' or '**kwargs' is used.

        Transfroms 'foo(<all the possible ways of args>)' into

        _apply_(foo, <all the possible ways for args>)

        The thing is that '_apply_' has only '*args', '**kwargs', so it gets

        Python to collapse all the myriad ways to call functions

        into one manageable from.

        From there, '_apply_()' wraps args and kws in guarded accessors,

        then calls the function, returning the value.

        """

        """

        """

        """Allow `if` expressions without restrictions."""

        """Checks and mutates attribute access/assignment.