2~hzJddlZddlZddlmZGddejZy)N) OrderedDictceZdZdZej ej ejejejejejejejejejej ej"ej$fZdZdZdZdZedZdZdZdZdZfd Zd Zd Z d Z!xZ"S) SampleCodeValidatora Class that checks if a string is a valid and "safe" Python expression What is considered "safe" for this class is limited to the context of generating provider method sample code and output for documentation purposes. The end goal is to pass a command string to `eval()` should the string pass the validation performed by this class. The main assumption this class will make is that the command string passed during class instantiation will always be in the form "{generator}.{method}({arguments})". In said form, {generator} is a `Generator` object variable that already exists within the scope where `eval()` will be called, {method} will be the provider method name which is also available within the `eval()` scope, and {arguments} will be sample arguments parsed from docstrings. This means that {arguments} can potentially be used as a vector for code injection. In order to neuter the impact of code injection, the following validation steps will be applied: - The command string is parsed using 'eval' mode, meaning expressions only. - The command string can only have whitelisted code elements. See `_whitelisted_nodes`. - The command string can only have one instance of variable access. - The command string can only have one instance of attribute access. - The command string can only have one instance of a function/method call. - The argument values in the command string can only be literals. - The only literals allowed are numbers (integers, floats, or complex numbers), strings (but not f-strings), bytes, lists, tuples, sets, dictionaries, True, False, and None. There is, however, an exception. In order to accommodate sample code with custom probability distribution, variable access to `OrderedDict` will not count against the maximum limit of variable access, and invoking `OrderedDict` constructor calls will not count against the maximum limit of function/method calls. In order to neuter the impact of code injection, please ensure that `OrderedDict` refers to the standard library's `collections.OrderedDict` within the `eval()` scope before passing the command string to `eval()` for execution. This can be done in code review. c$t|_d|_d|_d|_||_ t j|d|_|jy#ttf$r&|jtjYywxYw)Nreval)mode)set_errors_function_call_count_attribute_access_count_variable_access_count_commandastparse_tree _validate SyntaxError ValueError _log_error traceback format_exc)selfcommands _/var/www/peopleoo.sandbox-dev.co.uk/venv/lib/python3.12/site-packages/faker/sphinx/validator.py__init__zSampleCodeValidator.__init__Esxu $%!'($&'#  78DJ NN Z( 4 OOI002 3 4sA2BBc|jSN)r rs rerrorszSampleCodeValidator.errorsSs ||c.t||jSr) isinstance_whitelisted_nodes)rnodes r_is_whitelistedz#SampleCodeValidator._is_whitelistedWs$ 7 788r!c:|jj|yr)r add)rmsgs rrzSampleCodeValidator._log_errorZs r!c:|j|jyr)visitrrs rrzSampleCodeValidator._validate]s 4::r!cd}t|tjr|j|j}|St|tj r|j tjk(rd}|S)NFT) r#rCall_is_node_using_ordereddictfuncNameidr__name__)rr%is_valids rr.z.SampleCodeValidator._is_node_using_ordereddict`s] dCHH %66tyyAH chh 'DGG{7K7K,KHr!c|j|s*d|jjz}|j|t||S)Nz!Code element `%s` is not allowed.)r& __class__r2rsuperr+)rr%r)r5s rr+zSampleCodeValidator.visitms@##D)58O8OOC OOC w}T""r!c|j|sB|j|jkr|xjdz c_nd}|j||j |y)Nrz9There can only be one instance of a function/method call.)r.r _max_function_call_countr generic_visitrr%r)s r visit_CallzSampleCodeValidator.visit_CallusV..t4((4+H+HH))Q.)Q$ 4 r!c|j|jkr|xjdz c_nd}|j||j|y)Nrz3There can only be one instance of attribute access.)r _max_attribute_access_countrr9r:s rvisit_Attributez#SampleCodeValidator.visit_AttributesH  ' '$*J*J J  ( (A - (GC OOC  4 r!c|j|sB|j|jkr|xjdz c_nd}|j||j |y)Nrz2There can only be one instance of variable access.)r.r_max_variable_access_countrr9r:s r visit_NamezSampleCodeValidator.visit_NamesV..t4**T-L-LL++q0+J$ 4 r!)#r2 __module__ __qualname____doc__r Expressionr- Attributer0LoadkeywordNumStrBytesListTupleSetDict NameConstantr$r8r=r@rpropertyr r&rrr.r+r;r>rA __classcell__)r5s@rrrs$P              !& !"#!" 9 # ! ! !r!r)rr collectionsr NodeVisitorrr!rrVs  #O!#//O!r!